badrabbit | 768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2025, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe
Size

1.0MB
MD5

6f1f60d754943d430fc0972d80250baa
SHA1

adf06a5a69d5baf86e78f43e239ad4e0e8f25315
SHA256

768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348
SHA512

bd4e2ce0cf5a86d538e815efce24062155b6026ffa2b03564a001f0eaccf39c02b2b17a6fe5676b338bb6ac8e73df160a9e9e2af80cdb6821aba72764386e522
SSDEEP

24576:TR+cl7X1BRnI6hmebOe1gmx2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKHStRv9xFK1gEr0E

Score

10^/10

badrabbit mimikatz defense_evasion discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022ecf-120.dat	mimikatz

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
1200	A2-Cryptor.exe
3936	BadRabbit.exe
4764	FMLN.exe
5336	6DEC.tmp

Loads dropped DLL 1 IoCs

pid	Process
4908	rundll32.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
4076	certutil.exe
4644	certutil.exe
4808	certutil.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\A:	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 20 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg"	wscript.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\6DEC.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2-Cryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMLN.exe

Delays execution with timeout.exe 12 IoCs

defense_evasion

pid	Process
3596	timeout.exe
4172	timeout.exe
2000	timeout.exe
1476	timeout.exe
4616	timeout.exe
1536	timeout.exe
4596	timeout.exe
2080	timeout.exe
5992	timeout.exe
3424	timeout.exe
6008	timeout.exe
948	timeout.exe

Modifies Control Panel 10 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6072	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4908	rundll32.exe
4908	rundll32.exe
4908	rundll32.exe
4908	rundll32.exe
5336	6DEC.tmp
5336	6DEC.tmp
5336	6DEC.tmp
5336	6DEC.tmp
5336	6DEC.tmp
5336	6DEC.tmp
5336	6DEC.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4908	rundll32.exe
Token: SeDebugPrivilege	4908	rundll32.exe
Token: SeTcbPrivilege	4908	rundll32.exe
Token: SeDebugPrivilege	5336	6DEC.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	FMLN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1200	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	86
PID 364 wrote to memory of 1200	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	86
PID 364 wrote to memory of 1200	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	86
PID 364 wrote to memory of 3936	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	89
PID 364 wrote to memory of 3936	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	89
PID 364 wrote to memory of 3936	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	89
PID 364 wrote to memory of 4764	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	90
PID 364 wrote to memory of 4764	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	90
PID 364 wrote to memory of 4764	364	2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe	90
PID 3936 wrote to memory of 4908	3936	BadRabbit.exe	94
PID 3936 wrote to memory of 4908	3936	BadRabbit.exe	94
PID 3936 wrote to memory of 4908	3936	BadRabbit.exe	94
PID 1200 wrote to memory of 4988	1200	A2-Cryptor.exe	95
PID 1200 wrote to memory of 4988	1200	A2-Cryptor.exe	95
PID 4764 wrote to memory of 4664	4764	FMLN.exe	96
PID 4764 wrote to memory of 4664	4764	FMLN.exe	96
PID 4664 wrote to memory of 2540	4664	cmd.exe	97
PID 4664 wrote to memory of 2540	4664	cmd.exe	97
PID 4908 wrote to memory of 4500	4908	rundll32.exe	98
PID 4908 wrote to memory of 4500	4908	rundll32.exe	98
PID 4908 wrote to memory of 4500	4908	rundll32.exe	98
PID 4988 wrote to memory of 5896	4988	cmd.exe	100
PID 4988 wrote to memory of 5896	4988	cmd.exe	100
PID 4500 wrote to memory of 3600	4500	cmd.exe	101
PID 4500 wrote to memory of 3600	4500	cmd.exe	101
PID 4500 wrote to memory of 3600	4500	cmd.exe	101
PID 4988 wrote to memory of 4776	4988	cmd.exe	102
PID 4988 wrote to memory of 4776	4988	cmd.exe	102
PID 4664 wrote to memory of 4808	4664	cmd.exe	103
PID 4664 wrote to memory of 4808	4664	cmd.exe	103
PID 4664 wrote to memory of 1536	4664	cmd.exe	104
PID 4664 wrote to memory of 1536	4664	cmd.exe	104
PID 4988 wrote to memory of 4076	4988	cmd.exe	105
PID 4988 wrote to memory of 4076	4988	cmd.exe	105
PID 4988 wrote to memory of 4596	4988	cmd.exe	106
PID 4988 wrote to memory of 4596	4988	cmd.exe	106
PID 4908 wrote to memory of 5832	4908	rundll32.exe	107
PID 4908 wrote to memory of 5832	4908	rundll32.exe	107
PID 4908 wrote to memory of 5832	4908	rundll32.exe	107
PID 5832 wrote to memory of 6072	5832	cmd.exe	109
PID 5832 wrote to memory of 6072	5832	cmd.exe	109
PID 5832 wrote to memory of 6072	5832	cmd.exe	109
PID 4908 wrote to memory of 232	4908	rundll32.exe	110
PID 4908 wrote to memory of 232	4908	rundll32.exe	110
PID 4908 wrote to memory of 232	4908	rundll32.exe	110
PID 4908 wrote to memory of 5336	4908	rundll32.exe	111
PID 4908 wrote to memory of 5336	4908	rundll32.exe	111
PID 232 wrote to memory of 2896	232	cmd.exe	114
PID 232 wrote to memory of 2896	232	cmd.exe	114
PID 232 wrote to memory of 2896	232	cmd.exe	114
PID 4988 wrote to memory of 4172	4988	cmd.exe	115
PID 4988 wrote to memory of 4172	4988	cmd.exe	115
PID 4664 wrote to memory of 2080	4664	cmd.exe	116
PID 4664 wrote to memory of 2080	4664	cmd.exe	116
PID 4664 wrote to memory of 5992	4664	cmd.exe	118
PID 4664 wrote to memory of 5992	4664	cmd.exe	118
PID 4988 wrote to memory of 3424	4988	cmd.exe	119
PID 4988 wrote to memory of 3424	4988	cmd.exe	119
PID 4664 wrote to memory of 6008	4664	cmd.exe	120
PID 4664 wrote to memory of 6008	4664	cmd.exe	120
PID 4988 wrote to memory of 948	4988	cmd.exe	121
PID 4988 wrote to memory of 948	4988	cmd.exe	121
PID 4988 wrote to memory of 3596	4988	cmd.exe	122
PID 4988 wrote to memory of 3596	4988	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6542.tmp\6543.tmp\6544.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:5896
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:4776
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Encrypted.jpeg"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:4076
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4596
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4172
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:3424
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:948
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3596
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:660
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:2716
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5296
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:3956
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1340
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:3192
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4536
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1352
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:4348
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:5128
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5804
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5436
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:2624
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1168
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:2432
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:1476
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:1556
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:4460
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 230693274 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 230693274 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:44:00
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:44:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
  - - C:\Windows\6DEC.tmp
      "C:\Windows\6DEC.tmp" \\.\pipe\{329245BB-353B-4DBA-9751-96D06B5782E2}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5336
- C:\Users\Admin\AppData\Local\Temp\FMLN.exe
  "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6551.tmp\6552.tmp\6553.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\mode.com
      mode con: cols=170 lines=45
      4⤵
      PID:2540
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Wallpaper.jpeg"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:4808
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1536
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2080
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:5992
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:6008
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2000
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:5500
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5788
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1948
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4560
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:3928
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:2324
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:1860
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:3304
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1060
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:6044
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:4176
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6048
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:5332
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:3056
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:2748
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:4616
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Data.lp" "KillWin.exe"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:4644
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
383B

MD5
5b2f4b19baac5325cbeae4d8024d064c

SHA1
4f109afc12cec097f003f1723c1da56940f69b8f

SHA256
43464f239bf395e90405c7579f7380d06a0b581bbd0a8ca836b05a82808be78e

SHA512
7deb4fea0601cd364bda06c74d6a5d52ffb3d16935d8552c91ebca7d790f6566c64746ff58e61936356758f4b93d91931d477c363ccc4af9a133e0456f9fb40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
766B

MD5
433462fb538d97ef9657a2e29af4d2be

SHA1
f2934de645bae62ed5eccdc32eebfaf6f4f6f120

SHA256
0b8665f56a65330f60e3d448e1a4f894bef2cdc7c85546476ed58c23932c172e

SHA512
505812100337add87bb78eddacb921cd5e34946c28f8cfdffc112ed960bda221d074e4489845a786275a1345cdbe6c91641057dea886963012e56902c3c9fb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.eky

Filesize
97B

MD5
d8a620bae81c88e9b308bbf3c273faa7

SHA1
84fa1876fa0360a420ecc8c2d092308eaafd1512

SHA256
0f2ac96052210fdc34d0fb4ba605bd74f38e00ef1f806b6690bf6625789bed93

SHA512
c5c0ff1c11604b0a441ce2b63816dec950888ea8b46f17f28bf4cbaa2226a8ef3ecf62732c5eb5d14323a2b354f83d7559d9baac0806eeba4b3c3674b30201b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.pky

Filesize
96B

MD5
db0c1b06c8258f39c9004994ec478a89

SHA1
022442607e540dcd9cd7ad3bf59d5c1fcfc7c059

SHA256
645c799db4492c2bf8d1471b02f5171f24d550335d3a7b4433b82e796d824d06

SHA512
522c68d0132733276cdff24d07436118454e60f2ccbf5f2b838b5b96d26751c92fc75fab329193f2ba111b5b7583471b559f44d401959bbf97e7ce8b4d5d821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.ple

Filesize
102B

MD5
f38ddd14eaf529d81404e34223802b5a

SHA1
688447417adf783365fa6546f3fdbcb1a2c9ba93

SHA256
fe36416806189777f40ebd7c6b854f40bbed02ec8cbb8e4b0b764269d2a07041

SHA512
c5da5f25d625ef8a310fc6c6b6c7c9c4d9d3680f2ec8146bc8ef2e5018f23be42462101666e1919a74a0228dd72a3fa4750d6bcfeaac002c555ca0539931e61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.res

Filesize
97B

MD5
1344c86288d5ec7a726f4e209c3b6a6a

SHA1
46843ed08917592418be052419632f897e6050af

SHA256
e6ab6bc19a02af49fa347756a7fd48d4366db9cb05134a7c6c70618b77fbd4fd

SHA512
3101e9d17bc6301eddbd9dddc619c3926227c72c6846e00d2c50b0fe5696d9853e341aac90bff49fd254d760cc06e56fe77412476ffc481eb996d506002d10d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.vhc

Filesize
100B

MD5
14ebfe878ce6fc7634669004ecd32467

SHA1
396d4bdd3e07f7496f43fcaca9bdb099cd8fb4e4

SHA256
ec88e9db79eb40c0d865feb9cbd61a12e117bd55dc3c31ee318ee29ff00060d7

SHA512
ec0a26f4f07b9044ad94db3b6a6e1b797de8cc45960433a68e691f00eab7c453c45508ea1cefebdecf628965e7f8136f44544bb2e0085ead7fbe54326a56c188

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.zsc

Filesize
100B

MD5
26aaaecba00644eb8fb0f7787112db14

SHA1
d6f3234a716556f324fa03cf9a437b2c70f3294c

SHA256
515a1aa845c3bab55563115a0e6072750951e95f37949dee37814beefc8661e6

SHA512
77f6deba11609a51a9434ac4a9339be72a82641967a22e404b60fd914a1177723af018de955179785ded2e43e08fd2e95b340ae8a9686b7be3e66246caa88849

Download Submit
C:\Users\Admin\AppData\Local\Temp\24841_9583.bat

Filesize
127B

MD5
71f2ece5d6de26f528ff0e1c9382f1c9

SHA1
12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

SHA256
648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

SHA512
0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\6542.tmp\6543.tmp\6544.bat

Filesize
33KB

MD5
4b42191175209ea23203acc526307c00

SHA1
a77abea54f5b2a0084fd1574a1c5b6e1df1df054

SHA256
4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

SHA512
fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\6551.tmp\6552.tmp\6553.bat

Filesize
54KB

MD5
93841169c4264ce13735e8b116d06226

SHA1
1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

SHA256
82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

SHA512
ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe

Filesize
122KB

MD5
d6e36f6b145a4601a84835b7e8a0bbc2

SHA1
3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

SHA256
46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

SHA512
e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Data.lp

Filesize
19KB

MD5
c63727e7d32cd53e644d8ab3435778fa

SHA1
4f187b6d1a0839ffff7bcc69368b40ca007067b3

SHA256
91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00

SHA512
278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
432B

MD5
b8cd1445ff982b91ac2d0cadbfbae505

SHA1
a3d32347352f9435b35097e3dbfb74a4d5f0ba04

SHA256
2520427655f6bd0d57aa946fb9395d994043eb81216a3bad2ab19b20f031de88

SHA512
0c5c9c3a68a0b6f2e92e83a11ec9248c69b948d8102b31680fee70bd85ae99d7189c0d9e3c52b7e619aa33f2cccfc3976cf3e71ab1541af7f7cc35867ba5f002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
652B

MD5
172e95f2c308e206780bf084ff9a3b18

SHA1
c450da9f086141f59d95eded52c1785c3b5c2979

SHA256
aeac2458db12cbaa0082665a100a88a0b9ea0a825748c8d0a897f4cc12155213

SHA512
ea902c098fc5166e3fc85a1c8b9156ac88975139c9891db0472cd19ffae4827a76f0641eb2d56cc6b222263607b23b03260cb1122f44d38427370364ddbc9995

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMLN.exe

Filesize
258KB

MD5
c87988e35ec34779191f42b6213fdec1

SHA1
81036dcf6ea331243f2d512b8ac9611a95a18ea1

SHA256
96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

SHA512
ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin

Filesize
21KB

MD5
f6f72da7cd731682ff5442ba541457e2

SHA1
60bddfc609fad2f80c0688905e795e51003d9433

SHA256
00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

SHA512
2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillWin.exe

Filesize
14KB

MD5
3713a4dfdfa399b20561aa8bcbea1b25

SHA1
8109cb8e9e9c00fba74d456c1756799c72072989

SHA256
8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa

SHA512
a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
61B

MD5
6e7bbf235c360a312bfa7e107015a7a4

SHA1
add18238d1e73324a762c30e91c416ec1680e1a7

SHA256
f9ee6891ce0c08bb208531f765715abbf1ac7e18bf7e35c1f8d3c2b3fe0bfe7f

SHA512
3a5dd88207f999e56e6667c456ce41168e2c11f4337fed9458c41d439c079fde0c586a924df2bab758fbee4d564f7010ff0aa26cf3cfc509a4e8801db73721ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
109B

MD5
078cecd07bb2d5f32977b26fa5af016b

SHA1
40b53ef401db15236ad9b5bb0e61c9c0c8d5de5d

SHA256
974473e11c7d53df8c273f551b57302a1d4a7462e9b679ae421c008c97972360

SHA512
98e20e2e9c4abaaa4c83408f1bd399be76405935f330ab835c76703e6d4b0f7b5f7f09b6d832bcc96dd13293a0daefd4bb7d970b1bb808b56a5a9315280754a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
111B

MD5
5d13f178e1cdb13ca41ea278083bb917

SHA1
e181a900563dd92701bcce13d2df6e7fcbc2ffd9

SHA256
523248812cee48db017beb8a359b805e9fbb4ccc272af9d5fa592c0941e4740e

SHA512
ef94eedb39afc5327a73292bff9e450fb89f5520687251c08eb267b4a51d2ddb60ba6f325edc3b24ee0e5e0f1adb4e2e4316c32d3dd535bac53c2dc0cbabb9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
161B

MD5
cd88e2d00624eea9906a00e454520ad1

SHA1
2f1e69bf7dd736e723e531156c1f77714c3b18b0

SHA256
4a697a20510d1ec03406a5d659ad39e7a79db27b2fdac0cbfd34605e238d74a0

SHA512
2af9c3ad4106f29376bbe15aee884f6763514a906250aae8bfd8bb382efc4992d249ad1b43e9c43bb7d966f2be52406fc4c34ea1d5f8c6bc65ffb731b534f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
221B

MD5
40062c4ee4c82bda9f6166bb38fb4561

SHA1
c9989d71e13f9eee477651c549b6e2690ba03d3d

SHA256
68433bff93b357a4fe8702b184e03182f9361914454e2ec7b767c7906ef55f16

SHA512
1776efc6136e2e86481021dd69164a8a964cf03461af06eee0920e287ff6d126d32f46243858b4cb18a91376c3e71dce928957c126ed1b39dfe3c80f47dcf345

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
407B

MD5
cf793ca9fcb938304f7e211ccbabada5

SHA1
11d03649ea25b7f1fb165699b2ae5099f6ee25e8

SHA256
857d35b6de57efac2aedb4f667193afd71c9fb7d5c08db45251e890d6e06cf8d

SHA512
93e728becc68d54eb651560f9ef185d131266557522e035557965a6d2d17d946d3512bf3f317e5103755b95ffff0599ad8607722f15eb462232e826de96e5b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
411B

MD5
4c1234a8578e4801e429e70eb83d0111

SHA1
1edfdeb6fd6d8fbf2b18816ac945f74f8c33532a

SHA256
81ccc2560b037fa3ec8ee8d3bee6e710c7c07d83a0055a6f022290558c33b8c3

SHA512
892e902d8686b9306776199deb4bb08a31a29beef146cd2ef3d4a12826e0fc7d0a357c5ec509e8f8b440fa1862825ff74917fff84479caaf8f093db4694eecfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
489B

MD5
5cf0e89e66869b11829cbbbef07c6b0f

SHA1
ff8e6026c49deff44f2907ee8a30f7014937ff6c

SHA256
d004063ca894fd7d09892ec7b619ce79672a7d24904a1cc4700fc3e48f827f07

SHA512
5f0dc1d4346aa74b3ad2ff0c61a99e8b50dc37cd9d92be5f3389c80832e3315e2de44440a07906e098e44aa64f0a90e0bc00d098f7d52a38be96438b295fe363

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
633B

MD5
e3fe88ea9ec720748c9ac85d20c625eb

SHA1
26267b50609006ce90d421c80434e5b0df106f7a

SHA256
9ce7ee25a1bf1a4a9d253f080d210a7931c985d9943f79b83cbb160c55b6c7d3

SHA512
06ed50738663bb9c07cfd480657d011a0c49b491f7fdd013f27cb13f89bc54a49da66c75914840bf78eb08ee22d05a4067ff42d5a32756c7981f47f44eb6473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
692B

MD5
16cf0dbbbaea5679a5d33ea88d7f600f

SHA1
09ee3a2a0cb24782d8bd0ad0b7b391894376d578

SHA256
47b0ced9c7afea1b0cdc3d1d2f6dd9bdb5d4a562d7938bd2b1f68547c7a564e8

SHA512
121cb48edd533afd1a20ee6ebd9a4330a28404f8cf55daa7d7c9df49b3485d77ab2b9710faa97736a40b10cff8e0c4d453a9b95d4edbbf31cb028308e11d0088

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
694B

MD5
e1fe1f8664fb5831eec3e809ac42693e

SHA1
ddaac6ee4a4634bd23d89727fe919218b630e51f

SHA256
1ceb980797ce0b4f8c73993a954e688e178444d9e41b0fc39e45b2a06a5bc5dc

SHA512
bd19fa5410a6fda159a60070f392841ed70be08c2ffa95966a3bc5c630773cd50b67ae620dc536d2365a68ee074a69d12e233ac3a4eb13d2ec32216bf8f8c1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
142B

MD5
2ea256fad336c721bdeb17a95e3e8898

SHA1
668567339ff0b55b71aad4f234df9d3a3b349b18

SHA256
82e480783004826de7be825bcf2a05108d7531700cf8fb0ed272f641ce537d44

SHA512
eb7cfed75667b1fa2537bf5caa27334dff71dd343af9422977cb1ada6e41841e4e487172758e5dda28d63e93eeec9bf89b74942666ac6d0c5dd1e317bceb5df5

Download Submit
C:\Windows\6DEC.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/4908-114-0x00000000021F0000-0x0000000002258000-memory.dmp

Filesize
416KB

Download
memory/4908-47-0x00000000021F0000-0x0000000002258000-memory.dmp

Filesize
416KB

Download
memory/4908-39-0x00000000021F0000-0x0000000002258000-memory.dmp

Filesize
416KB

Download