badrabbit | 8d4d683caf6146c7b80d9902cf98f4f620e423a55929335b96b12c5ad745880b

Analysis

max time kernel
57s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Ransom.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001226d-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
2180	F335.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
127	raw.githubusercontent.com
128	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	Trojan.Ransom.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\F335.tmp	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Ransom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2236	rundll32.exe
2236	rundll32.exe
2180	F335.tmp
2180	F335.tmp
2180	F335.tmp
2180	F335.tmp
2180	F335.tmp
2916	chrome.exe
2916	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	rundll32.exe
Token: SeDebugPrivilege	2236	rundll32.exe
Token: SeTcbPrivilege	2236	rundll32.exe
Token: SeDebugPrivilege	2180	F335.tmp
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 1160 wrote to memory of 2236	1160	Trojan.Ransom.exe	32
PID 2236 wrote to memory of 2732	2236	rundll32.exe	33
PID 2236 wrote to memory of 2732	2236	rundll32.exe	33
PID 2236 wrote to memory of 2732	2236	rundll32.exe	33
PID 2236 wrote to memory of 2732	2236	rundll32.exe	33
PID 2732 wrote to memory of 2636	2732	cmd.exe	35
PID 2732 wrote to memory of 2636	2732	cmd.exe	35
PID 2732 wrote to memory of 2636	2732	cmd.exe	35
PID 2732 wrote to memory of 2636	2732	cmd.exe	35
PID 2236 wrote to memory of 2648	2236	rundll32.exe	36
PID 2236 wrote to memory of 2648	2236	rundll32.exe	36
PID 2236 wrote to memory of 2648	2236	rundll32.exe	36
PID 2236 wrote to memory of 2648	2236	rundll32.exe	36
PID 2648 wrote to memory of 2800	2648	cmd.exe	38
PID 2648 wrote to memory of 2800	2648	cmd.exe	38
PID 2648 wrote to memory of 2800	2648	cmd.exe	38
PID 2648 wrote to memory of 2800	2648	cmd.exe	38
PID 2236 wrote to memory of 2824	2236	rundll32.exe	39
PID 2236 wrote to memory of 2824	2236	rundll32.exe	39
PID 2236 wrote to memory of 2824	2236	rundll32.exe	39
PID 2236 wrote to memory of 2824	2236	rundll32.exe	39
PID 2236 wrote to memory of 2180	2236	rundll32.exe	41
PID 2236 wrote to memory of 2180	2236	rundll32.exe	41
PID 2236 wrote to memory of 2180	2236	rundll32.exe	41
PID 2236 wrote to memory of 2180	2236	rundll32.exe	41
PID 2824 wrote to memory of 2784	2824	cmd.exe	43
PID 2824 wrote to memory of 2784	2824	cmd.exe	43
PID 2824 wrote to memory of 2784	2824	cmd.exe	43
PID 2824 wrote to memory of 2784	2824	cmd.exe	43
PID 2916 wrote to memory of 2912	2916	chrome.exe	48
PID 2916 wrote to memory of 2912	2916	chrome.exe	48
PID 2916 wrote to memory of 2912	2916	chrome.exe	48
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50
PID 2916 wrote to memory of 840	2916	chrome.exe	50

C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1456671091 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1456671091 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:58:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:58:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2784
- - C:\Windows\F335.tmp
    "C:\Windows\F335.tmp" \\.\pipe\{BC9F04BE-79B4-4D5C-B1EC-C685410E7524}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c99758,0x7fef5c99768,0x7fef5c99778
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:2
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1588 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1156 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:2
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2948 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3408 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4016 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3768 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2440 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1580 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4216 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4248 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4284 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4240 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1384,i,11592102702417474239,17015282088542746908,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  PID:1588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0b61148d-e81e-4da0-b722-73380056e191.tmp

Filesize
353KB

MD5
f866062e5e0bccfd8bdcaef0770820d5

SHA1
16e9d59445ecb04f99124d908f65f207f6cec7e3

SHA256
2e4acdfb240251edc67b14ad039123f26c6b81ad16878f11fa3b4f1fd97abcf0

SHA512
5d62cea848c474e0006e6126a0e0baa7a2625523196b15340e4b5e44fe45a19d702ac43cb2c1d47a0248ee6702e3a7b9053c2b06c782e98229e23e4cbdace541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f054eeb-fcfd-4f29-a40a-14ca2462b680.tmp

Filesize
6KB

MD5
154540f4a73ff2c4580c84bcddadfaf1

SHA1
dfc3e2a45d92ec73e5110a1f2be2916a60e9efd8

SHA256
8a43ff2d336ca48f150aacf7fc2d2654b4afedfc5eeb753de1dbf2e848a497e0

SHA512
40748f5f1facdb57ece8abf0dc2c6634494f9e67b7f05b9ef233bc9d7b25a13e29ef46874cf8fe3174a6dea11d0c285c09b6b3207c3fc814a67fb05cc462290e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
21KB

MD5
eb5f2f8b27b3794eb0b9d7302f3ed208

SHA1
ceb14ae185daed71ebd356c06f067ee90ca75a3a

SHA256
16a56eb5759e2174470278fec544af28e58f93a2e895141c140eef9409efeb60

SHA512
4c1441f9bc16c6c03df5c727c75e238d41aa24127904f86d18eb755564765eed86674de1d6d19406c2f9085454bbaa26c9b65f31973a364906878a9fa4688eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
37KB

MD5
9a0f2fed78beabcb1af818103e79eb49

SHA1
e36dcc0472152bec227a1f5a81b5024ff3624452

SHA256
bc3ea6c39f4b013cb279391c0adbbd540219cae079703926d37a82dab9046450

SHA512
c4a96707d57cb474f45d669a52e31cc4f34e783b3600781c683c88d470cc6f6c3a5c5a399af33b8a193c57df87e797087fab9f6817048baec5a75e44ff835c6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
16KB

MD5
dc491f2e34e1eb5974c0781d49b8cbaf

SHA1
b73ca9b5f9c627d49da4ecbc3455192e4b305a3f

SHA256
f956049f0d96d455a71003eba400cb94f7067bc52620cd05b81006ecfdd438d8

SHA512
5c9bd0d5c93a05ca76eb727328a0fde40f2be7fe53b6b6c9eb260e8f20f92cfc831fd4b46f954d85baf151ae8aba1cdd6f76b0faf96217922cad844c905f3645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4965263a84df041ac69d512b5d00398

SHA1
bb4a99996e2117e8525fd519ed6c5a4f4a71ad94

SHA256
faf88dbf3f3e55a7b2ab9312629927234dd862d4adffaecfa68221c69b7a75c9

SHA512
cbab87889ba87cdeed267c7acff1da1533f796a9c39eb19abf2fda1d19034a7758397c2fcbb26ef2825480e94e5198870dde5bfb7ed0c334669fade6b57c0dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dfd8c4d25659cf7a9823c5135dd88242

SHA1
2b207e1fa32061b829915c41ede2e74547cc3e72

SHA256
0aef6e62fbb04a7baa1b53ecf1c7f16fa108f6b890f983d0e1fbd2c27cf26cad

SHA512
0b8d991a3a64756333fda8cff906efc402966183f56d70e87f507ac030b26a90ba7fda2f2a184260560e9a2aa320778a33440001e4767e20c9d0da7ef84b5e8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
1bc4b2dcd3cda26c3348890e993c8e62

SHA1
4a153e4263227e184e9a8d5e7b7f4bbe6e49d976

SHA256
38d9551ae06c85dd76b4443bb8801a8c1111a1a8861881dbb1ef9b60aa913ffc

SHA512
4d5f2608a08abe9b74cb1984d9a40e617b95787577729fb66aae6e1bd278bca365b5291bf2119ad7d2e848233965ae1538c9d68425affc6aeab8f33cd717f8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
dfdccac5ab53e34621dac53f57468575

SHA1
b8c74a46ebe433e09865c56f63486f45bdb84369

SHA256
08015ff46b3fe5bb84e50cbabb4a91c2a30c62d04a5d4c0c9fac3afd4a594e09

SHA512
d99b2b3c8372a2da5675a89e8750191d11694946ebf4a609090e59b96ea840a38088d57584501bcd627b129e85cc002d25fa5736cd1320aaadf65d47ca97790e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
1114d9cfddde0d14de97ceb8a74d3d18

SHA1
155a5fcb3d61820b2ce045e2a73fb460d5da0031

SHA256
790622f9f69806fd0439b5eb75ae3561850ad2a8594329276889582a28e54c73

SHA512
ed409306f6fdfea42de99a3dde09c4f9a1dac82dc36f944eb85bd16d0039e8b050f815fddc88ad426a098573049e2b647696d185ee77c04df8f9cca8bbde0adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1657cffe4f48b959a4bae858a34626a5

SHA1
f464f3277081c9a8f428a67f207553666b571d0c

SHA256
8bb577a3e32f34456b553225e93421b21d88f739c06c56ed56ff2b360fd4615e

SHA512
5899dd1c6c41819c0d6eddb27dd91e802f84436596f96c2db4eea74ce6354bfa3a67e2202ac0b3c0a6f80f4ed87a967f492105316e10b59b5fe72c59c0989516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
519f2fd7ec0d3c5d1df96e8df5461933

SHA1
db3adb066de60f63e25fd8e790e8351b99cac951

SHA256
407620c3054fbd78e90d1331e436be0527e54dffd5b161db8bb6eee887f6a449

SHA512
2682c0a73713ffa4dbb01d9416d764d57001fb182e93b564df26e11b60d9029b02f2ed14b5f4a836cbb7ecef1cc4d98c9d1eb29d4470cbe9f7161eecf0dff5f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c860fb498fb26ea7208cec2bf1f33fd3

SHA1
e1b838ff8cb997e745f4203ca4d04b304336a23f

SHA256
ec9e01ba9f1fadfdec1e51e9270d588c65fd47525ba95f90c264c38c090c8ba4

SHA512
05315b55500ce0b91cd24f4337caf405ada97e25dd43aadd36c98909850084023c9fc115128a28f39a627b9d4b611edb1709c96c728eff78079540defb8204d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
8623712bb080214ed2fb272535735934

SHA1
3af70c11a69f93d3e4b3cb890b198bf9061c3ae5

SHA256
1b8b2a153d6beb72044fe99ad461628da647e4999cae5c7e081a84dd6788acca

SHA512
92a25d2b538d8bbc37a80ef6f51fbf9c48e28e5d5c426805e8b7a013c008c21014f9d51cc460ca68f09869fbdc0b73bb8aa72b7130dbb669c9a587c94a780263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
412KB

MD5
5fa4c8f96974402f72c15211989649fd

SHA1
55b19eef3ecc8a0ebe81e78aa4a135abfbbd47b7

SHA256
0cef897dd991d13e803c329b19e6169917485c9cda3d0f79de813743a7ec03da

SHA512
079d30c219e1bfacdab0d4b6aa44e5b5570285af2893d201b928b085b05b74f2db6fdece0009c7df93e44063153f245e58a5d1a5a5e16cf70cbd7ec406fbaf4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
bd388b7e70ce7f3481f2df30b4833619

SHA1
d48d63e6e1168fcb88ce6923f6ee286a2774d1ba

SHA256
89fe8efc72c4e0e2e416386611f638a7f8ea5d828ad7008653aa7e3eee580052

SHA512
e515175d3d4d4bd7881b7d60e5f4412766a4d708b075b4fe6a168beef69bc9f8bd00893f8295f9d16e42f785374f6f39cb6f35551152dfbf8bedc050872d19b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7B1.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Windows\F335.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1588-764-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2236-2-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download
memory/2236-10-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download
memory/2236-13-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download