badrabbit | hxxp://malwarewatch[.]org

Analysis

max time kernel
219s
max time network
222s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
24-10-2024 04:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://malwarewatch.org

Score

10^/10

badrabbit mimikatz troldesh defense_evasion discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aaa7-407.dat	mimikatz

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 6 IoCs

pid	Process
1092	D6D3.tmp
1140	AV.EXE
3604	AV2.EXE
3928	DB.EXE
1348	EN.EXE
3968	SB.EXE

Loads dropped DLL 4 IoCs

pid	Process
704	rundll32.exe
804	rundll32.exe
3500	rundll32.exe
2664	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
61	raw.githubusercontent.com

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ac88-725.dat	upx
behavioral1/memory/1348-746-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/3928-723-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x001900000002ac87-726.dat	upx
behavioral1/memory/1348-780-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/3928-783-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\D6D3.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{9A2DE798-9A00-4B31-84B6-6AFB826ACABB}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	chrome.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4768	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3516	chrome.exe
3516	chrome.exe
704	rundll32.exe
704	rundll32.exe
704	rundll32.exe
704	rundll32.exe
1092	D6D3.tmp
1092	D6D3.tmp
1092	D6D3.tmp
1092	D6D3.tmp
1092	D6D3.tmp
1092	D6D3.tmp
1092	D6D3.tmp
804	rundll32.exe
804	rundll32.exe
3500	rundll32.exe
3500	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
1124	chrome.exe
3736	[email protected]
3736	[email protected]
3736	[email protected]
3736	[email protected]
2372	[email protected]
2372	[email protected]
2372	[email protected]
2372	[email protected]
3928	DB.EXE
3928	DB.EXE
3928	DB.EXE
3928	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe
Token: SeShutdownPrivilege	3516	chrome.exe
Token: SeCreatePagefilePrivilege	3516	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe
3516	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1008	3516	chrome.exe	77
PID 3516 wrote to memory of 1008	3516	chrome.exe	77
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 3024	3516	chrome.exe	78
PID 3516 wrote to memory of 4208	3516	chrome.exe	79
PID 3516 wrote to memory of 4208	3516	chrome.exe	79
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80
PID 3516 wrote to memory of 4116	3516	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://malwarewatch.org
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88aa4cc40,0x7ff88aa4cc4c,0x7ff88aa4cc58
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2992,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3004,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3148,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4340,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3308,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5140,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5316,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4492,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4504,i,14931090860995804687,8833815607526823326,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3064

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2360

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2664
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:704
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2508731387 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2508731387 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:20:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:20:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2792
- - C:\Windows\D6D3.tmp
    "C:\Windows\D6D3.tmp" \\.\pipe\{2840628E-83DE-4D5E-8C24-3628E1293E9A}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1092

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1680
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:804

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:324
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3500

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:248
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4048

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:4392
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins1484.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:716
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
    3⤵
    PID:3000
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f87c7c27851f26b5299c1c952866325d

SHA1
ab59ec04388aa24fa92410083fc0574b94ea1b12

SHA256
a004ccd21fdd7f42e9eb6862cc9bfa7b092a4e622e84443f9f792515c3f7a6db

SHA512
d344c3d28b72595ea377931a5c4f63c02f58996655de50e042c2063bd446697c133b357a6391362111ffd94d1ff2d2570854ac992e1a7bce967bd1f0a048744c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2979b1c9e12e11d2b748dfb68d8aee59

SHA1
637b0599e85e409be7c82eb20de30597818f69e6

SHA256
3cdbabdf15c62feb5b45944fe146de8f93de482e05ee8c756850aedaa060341a

SHA512
d6d733ec039ed8fdcb85a7502d958a7188365f5b9e31a1683a9f3abeab030cc57fc4c498d5c7e2c6da38e224796982b3b6911540daec120bf4fa4f7e85dd7c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
076a0f8b46cd14829af086625fdc8589

SHA1
780ef3539987c01436afc44638cce41368fdcbf5

SHA256
3f6b504ca6d5428cf526d69d0b2e53b9a67a041d86b6fe5aefff31f80f80bfb1

SHA512
942de6e79bdc917095cd30cda3cf3f20c2d83514cf6e1e75ff12ee0578aab0e60bc82cabfc9d3be124d4c24eaf9367424e8ece945d6892c03d73b5bcf7218359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a0bdde6f43032b98b5d623ff96eb2ebd

SHA1
1bb30d9635960bfdf067dd4bc837a6744c369172

SHA256
9ac1a70162131705ed12299ea09bb87eac4d8147c6d053c4722b6943871fb781

SHA512
785e19540068def82237175bcabaa25e90ad748982e05cb2c34cd304926e235fa882ee153659ff0ec20b5842f0abb341649ef36af95ecab1108e817784524af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ddea89b8f81d50030b4dd17958ec1795

SHA1
aa34707b834febd31f35528281d8e9276f5a3b21

SHA256
55351b6855c55255d3ffd829fc7ce5a3e7768ac9f9b8e187a5c824881fe615dc

SHA512
9d7ec3e7fa7fdf64846bb9fcbd25ce1973a9618a0c6bff160ce6581214ec049655606418253b41cbe71e5f8234aec8ccf042e0983dae6270ee280b7bc7ba9c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9b85b22059e74e522cf3952fd5db5a0c

SHA1
08206cca76a97953624312273a852de76d673e5a

SHA256
7c14aab22b1e50eeda7faa8db85b9397c60c96f92c3ff6fbbc3d395be09acfac

SHA512
7cb116c96fed1f5a3e7d71be8be02d2261e63bec5f43226547cd6a224b008303e6c579a0ddf68ce452adef91e7cf4791998f7dc4272417a7704e6f7c8504a443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eb1fd15eca052854b6d601045c31f220

SHA1
f38c06f5d3ef162c7d86cb43cc3c619348d87bda

SHA256
ad4e485c4131c0134f5e4b9a5357a67f18212a2480fdfbd546aab8f12b917f5c

SHA512
eb88839cc5b90ee8d8d7ebe61e6c36660760c975cf8bf5d5f988aa320714c79a0fb59a8310591bb95ca4d59b8320e09572ebf855e05a9d4a70bcf7b29b36ebed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0a70332cebaff1b26fd3626ed6ad5798

SHA1
9eda58a6ad0a118b00f92ae7963f62e508767cfb

SHA256
c702ce34434306fbb77e27c40644094190aeb69ed73b5df97968753d91f53f33

SHA512
cdd51acbf8c24aff6dd8dd81c511e0e209355c4c96e78d1369df9fc351fd435000c786b616d6428565a5899bbda5a7b674946058f41d840ddfecf9169adffebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
461119f9d33894aa2165ce30b999fc10

SHA1
5571c996e473409c722b31444a606223ca999efe

SHA256
4eb857e1e53e5475b4a46258486d638e5b93a939637b54727fa6337fc66913c5

SHA512
7f47b2ef3fb6d6f00d23d99c1e91aef4b71837f4b79dc28685cb7c294a414a74de8ce3128911351e59ec0324cf63ea2d1905fc08ea01f8672beabc4cd17fd333

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
000fa0bc45828d97ebf17593fa151b79

SHA1
6b118e465507c5c3d791b44078c84719edcb8f6e

SHA256
9b329b24640ccb7f3c0fbfe0306a2d290a944cc142eec0559f4f29175f72007a

SHA512
3f6a9f85645105189d8feda8cd6b06f27dfb0a93c5198c8f56fceca133fcb084445b6178a6061f13e1bbe2990fdd691a67d8f6bef97b0714a2b5aa559a6122c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f77bb38cc67524f14e01b819c625a6e

SHA1
9f67b40ddd1cf4a9c235a62f876abd81bbd9ef5a

SHA256
4db738b9908712b2d4026000f6914a08b64185a2f231a6d1ab0c1aa8cf9ee820

SHA512
1bf2a8ae4b38993f6b43674f1361bb116de6003ccd092d47ea53afdf713238b9d2104d22b8b2f74f72b08539bdcfb472c71fcc7c1186f3797673a657a13f12ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a1e65886eeac0e63f29a863bc5b5882

SHA1
ad1d6c67f240ffffce3f7230626559f5f65417a9

SHA256
a689b08fc5316f613f4b36b98f75bd557215205854fb34ba67adc749ef1aabba

SHA512
005b56354aa4006346abb269b9ddbb3833c3418a35d56f2dd5293d65bb409a5e12cd4859c9caefb272f16eee627a5c7894f612b7d513528fb804add1ec5a7a87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed42400fe11ff2158fc8eaef19d48ec9

SHA1
a9b4888dfe2794c6d3967037d33a704e6348209d

SHA256
99aad9ebbf198d82d65e4009228462833e57aae6e940ec5da2a54b7229249ed8

SHA512
e96eb38b5eb7f02e9571c6e49e9c7908024dfe50b25bfd3f50923d82d0bc0493e42b09b047a93dce7454c89a4d60b0f74bc9b46c2f253f6f451175a95fd49a93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d471bf92b690a08286d9719ed6026af5

SHA1
5c3d52ca32d8c5786b40793d4b52d1cc21513703

SHA256
5b517a256cd7bc8e46babbdc324cb1eedb06ec845b14e06164d813e01985bab0

SHA512
e52caa0313e4090733c739e3fe9c28c447620433527ff85b32dedd63fde9911d1b1ca2c14815a93c876c03de41f6aed7497e9a6c0edf5955849008dcb08d7f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f0969eefc5080fe93e8f3c278e5dac6

SHA1
87456f58723083e75228f62efcea16d43f7aced8

SHA256
88518871b0514af6dd318d0fcf89533852da400e2b8074ea44a8efe7130450c7

SHA512
d73b06d9b7db723ecdf6c1e363cf56183153cf09e4cda462ffd9cd1442662148c1c4e7a886dbd6ded7c3d7ded9024d31dcbd4b98d8a2dff302ac7ed7c9ca6154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43a12ca88f2393330d3fbfa93d0833c9

SHA1
7a7a9d54d7304f766b2174e3d453ea2d4f2b04b6

SHA256
a84aaa87b074d9c2fc49bf90fe85c69281db5f47b2990b178dc82e4ae0208c86

SHA512
55ba3cac236565e8e821ff34983419289c132d855025a23b04d6db9b26000c6856dea31a9ac5ca45db1da5905dbcfbd2ea49c40fbd63e5979a7bfb5356de34ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78e6ddce386f867d93cb9aedaf40d21f

SHA1
fc1f6ab39034041d2dc44f4c5717365571b564fe

SHA256
7963061d5b7939e00165e7270e7fa5b95b5e2d67044b5aec79003ad1c61fe1fa

SHA512
ef17cd066a2fdae5f7d6208a438aad07962338e09dcf0ec6f59fe5f8b38599d58ce42d7dded3c475addf44ac60f0a0317c30fc54ca5f3494ae873c7b03c27b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab3854b17f9eb63e28817f37fdbd477e

SHA1
b0d912922b09b62778bca28d9c791c653bdefe08

SHA256
0a31f8b814f4fc4369daa29d0807aaddfaecec1fdddbb59307653468a0cabc62

SHA512
32cd1406c0f7c6a8d7940f7d5348cca77841d5583d74c733e79deeb73a0639ed6cd44a8c6f4c22af5d340de1ca272bdb6b3dd0732413a5ee070395de9509a7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e0bb085d7c840ec937f30a9b6c6a760

SHA1
7c87c108589c20421605b6a403afb80c6b2dfa8e

SHA256
e063b8f32aef3e671292f39bfabcde8fddba00d3fa55f7cb15012a09222602fb

SHA512
80c8a89cad5b6f81a31c9acf456b7b17b06e6ada622cffb4417fea948e27e5e84383c2609782a8be810bbe77cac4fa42025f7e3b9ddeca77bfab2dcd99a2691a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93d5955890932d7c7062fbd1b5843e2c

SHA1
c2f67ed17355f92a62e25bdd17f4c67bceaf011f

SHA256
a828e7384406e06c41b6339dde6d4752846550d7df2bbc33fbf5000103fe483d

SHA512
c63f7291bfb1bc28b024be5d12cf33505bc8b80c6ac546f35b23af6855b6b1268d68ad48a28db0c062fb4d62641a547e7829053dcc8b1f0294efc87d13259d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31463f1912b5a92a2f8d30de2b7a4dd3

SHA1
c9ebbda895fed944694f78658b40bdb26533b5a4

SHA256
0c01a3a79d64bbba65ac84387fa2b63b12fe4470398bf3db0ec884a58111afe5

SHA512
6dd426c674cb1abb578c8fed9a700abe08a324e2903788431f715c0e245b68e7e140b9c870d1b8488d27b18159d7088669769277d763a9444d23e977f3cba19c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
948942afe324b3721ad86673e621ec33

SHA1
227590e0263687ba78710d6c4c8c5d2d0e0f808f

SHA256
a49d4873b639f8976674530e877ed2ab70fc35eaa34311d36e96177c18f63412

SHA512
9b37ab4a80af26d5b5984c516504bc24434c16878225b77ebfbc5964fa7f0d9eafc334413d4f8e491a3c974d9fcdeca736e6fa1fd3190d39e8768913c6c7a908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
392ee2eeed992b9d442eb4a09224a8e3

SHA1
f8ea66d66f665c4cdcf2699cee824d64d3455d56

SHA256
12738bc940972eae22d1ebe9a6261fdbf75025bddabba8c6cf8aac82b0612e1e

SHA512
b367e3698aaef6aeb5ce479f11238b3144eb7fca0e28777628cd639cf03f25969411452201416d18e4bd41d8381d163d21a828bc822b69709bf6270847ba9dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2574925ab1a2b0a5e4d691acc424c2f6

SHA1
383f71e7b9c1f42c0c25f92cd9f5b81f842e3e80

SHA256
c8a343365d76154311800453bd28d8c1ad7da420b34bd397e845a12a5969a9f7

SHA512
a44dc72d9141ee0e27ac9a45f8b00586935726527fa488467ef658ab9124aae491c409e21868a78078a2c2d9227e3d4f02cd24fc46f55676211ab2dd1cdced18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
82B

MD5
9c12ec41b948e46a5108b7dbfaf1d16c

SHA1
860c5126809bae1950aa06800c5c1bcdf05f6c53

SHA256
34291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004

SHA512
a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57c498.TMP

Filesize
146B

MD5
4a51b371e3795b2894abe16cd4ccb36f

SHA1
c4c2b558065d4534e1e64411ec26b82b705afa89

SHA256
852633de02174806b3d4e831c66c20fab8d8f11a8eaffeebbb1fc1967d8be5ff

SHA512
30d8c61fe9e1ab039229357ac7e7df1e46d675d4bbf4b35dde0b8fddad17494d54019d24520905186f798a06b24a0ed114db230a2346b4cea8018b2e77e3a195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
4785e4aa48067b932ddad5095042c1ac

SHA1
4d7fd0db77350383cfef58668d4dc685080fe4a7

SHA256
0d4a2f879d3be940d2a3d622e0613d842e0d2d8bf2be25500af6228e64b681ff

SHA512
f1976e73892c5e3eea6b7288aca12756473ab51703c9f38b63359fd50428c9a8b523d6324a065465261d5c35301c1f103bf3519a31bc73f0ffeedae683a44636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
ac144bf227547635c2d4f7a18c00e58f

SHA1
dcaab709c47689ef75989c80f88ce5bcdff3baa9

SHA256
d4b66641ee6a5730116a175574357c21b28001f676d2d50dc18578c90db82b90

SHA512
09f7889031ac7c4723f31e5ecb794505d570aa086a3ea6ada79f0953912ec60c8397f24b2cd5116e8da9aae74f0c02aa2a25a1177d2e84b5dfb9cddf658367fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~unins1484.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Users\Admin\Downloads\Ana.zip

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Ana\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
b80fd02a47fec2d57af0d8bcf22ea210

SHA1
bafbfe9963409ea30e7da55351988608eaa735de

SHA256
57a28624cb2a61cd986b4afb39f2cef6296808f2a84b83d00c70f617ac72ae1d

SHA512
c4125163c6c6515ea951081c7857ab4fd7350ec71f3c1253e060b22a62140ec5bca2dcd474a769135879ea92d620041aab1ea05d3e26cf2ee3f737f0bee95474

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Windows\D6D3.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
7f13c57aed1c74fb2273d3e30ecdb5ef

SHA1
b2a3054cdd6f5636e9d6386d3abdf9f6fbeb8333

SHA256
0812d9df3caf0071c8753c3d4abcb7b5650b21d4de23ad77fba406fcceae2348

SHA512
a55af49432e2730dbea7d54f6fe12993de3037a5d6b70c889407df672ed8ddf5d68309d2ad2a2a46fc3f5cf15a7812595aa57b588ec0a96459ec5001b1b9e263

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
memory/704-376-0x0000000002600000-0x0000000002668000-memory.dmp

Filesize
416KB

Download
memory/704-384-0x0000000002600000-0x0000000002668000-memory.dmp

Filesize
416KB

Download
memory/704-401-0x0000000002600000-0x0000000002668000-memory.dmp

Filesize
416KB

Download
memory/804-430-0x0000000002390000-0x00000000023F8000-memory.dmp

Filesize
416KB

Download
memory/804-438-0x0000000002390000-0x00000000023F8000-memory.dmp

Filesize
416KB

Download
memory/1348-780-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1348-746-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2664-472-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download
memory/2664-480-0x0000000002B00000-0x0000000002B68000-memory.dmp

Filesize
416KB

Download
memory/3500-460-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/3500-468-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/3928-723-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3928-783-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads