badrabbit | 9ec661c978943b08c46f922ccf58f9874c488e37d7552ede533f8e00cb53645d

Analysis

max time kernel
44s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware.BadRabbit.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001d9fe-20.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
4972	536F.tmp

Loads dropped DLL 1 IoCs

pid	Process
5732	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\536F.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Ransomware.BadRabbit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880551590805463"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4976	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5732	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
4972	536F.tmp
4972	536F.tmp
4972	536F.tmp
4972	536F.tmp
4972	536F.tmp
4972	536F.tmp
4972	536F.tmp
2020	chrome.exe
2020	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5732	rundll32.exe
Token: SeDebugPrivilege	5732	rundll32.exe
Token: SeTcbPrivilege	5732	rundll32.exe
Token: SeDebugPrivilege	4972	536F.tmp
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeCreatePagefilePrivilege	2020	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5224 wrote to memory of 5732	5224	Ransomware.BadRabbit.exe	88
PID 5224 wrote to memory of 5732	5224	Ransomware.BadRabbit.exe	88
PID 5224 wrote to memory of 5732	5224	Ransomware.BadRabbit.exe	88
PID 5732 wrote to memory of 3120	5732	rundll32.exe	89
PID 5732 wrote to memory of 3120	5732	rundll32.exe	89
PID 5732 wrote to memory of 3120	5732	rundll32.exe	89
PID 3120 wrote to memory of 2368	3120	cmd.exe	91
PID 3120 wrote to memory of 2368	3120	cmd.exe	91
PID 3120 wrote to memory of 2368	3120	cmd.exe	91
PID 5732 wrote to memory of 4924	5732	rundll32.exe	97
PID 5732 wrote to memory of 4924	5732	rundll32.exe	97
PID 5732 wrote to memory of 4924	5732	rundll32.exe	97
PID 5732 wrote to memory of 4852	5732	rundll32.exe	99
PID 5732 wrote to memory of 4852	5732	rundll32.exe	99
PID 5732 wrote to memory of 4852	5732	rundll32.exe	99
PID 5732 wrote to memory of 4972	5732	rundll32.exe	100
PID 5732 wrote to memory of 4972	5732	rundll32.exe	100
PID 4924 wrote to memory of 4976	4924	cmd.exe	101
PID 4924 wrote to memory of 4976	4924	cmd.exe	101
PID 4924 wrote to memory of 4976	4924	cmd.exe	101
PID 4852 wrote to memory of 1796	4852	cmd.exe	104
PID 4852 wrote to memory of 1796	4852	cmd.exe	104
PID 4852 wrote to memory of 1796	4852	cmd.exe	104
PID 2020 wrote to memory of 2208	2020	chrome.exe	110
PID 2020 wrote to memory of 2208	2020	chrome.exe	110
PID 2020 wrote to memory of 3364	2020	chrome.exe	111
PID 2020 wrote to memory of 3364	2020	chrome.exe	111
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 2532	2020	chrome.exe	112
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113
PID 2020 wrote to memory of 4008	2020	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5224
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1010128633 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1010128633 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:30:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:30:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1796
- - C:\Windows\536F.tmp
    "C:\Windows\536F.tmp" \\.\pipe\{A4821D5C-4AD7-49CB-A534-1DEE1982F933}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffded33dcf8,0x7ffded33dd04,0x7ffded33dd10
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1604,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4556 /prefetch:2
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4792,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5452,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5896,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6120,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6052,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3492,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4924,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4940,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6056,i,15420418453843323491,16058046750572030780,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4296

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
22ca9cd8c68eb64c7b45090c22a3cd9a

SHA1
5f2bf64051027c01701e9dc0760ac6e85f628990

SHA256
87b1086510b8f55c949d51394d3837ada1a8240abf350e4c0913338ba36045e8

SHA512
965efdfaa6ec3547bf0d9a50ca9acc1f167fe141c7ca1e3398f34b59999e940b9eb2a313221002a4a105ad04fa8443946ceb41d861a83b62b541306881a696c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
a28fb23b66cdd9fde9637a907cbbb6c3

SHA1
bc87b152d23f4e5a299a535b4374dd430b50d78b

SHA256
161d97feca4a82e316f3caa39ba2c9b69ed6ed5d1b5bff6facadffd990786c6a

SHA512
aa1a02b31d2e74b3f9e9d467c303d8c55b1454a2dcb25b506bb96af7088682db60be31379d3b6346959ea861788a5534f0ae0bb1d06ce3767954201a2abf311e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
c6e0dadb12f40caaa06b1a9e23e1a901

SHA1
5a1401224b83a3f821fe4e474d098e3b41758bf6

SHA256
21a14b66c2e68ca7e2152aee949d120049cc0ebbc0b36a9196a45646e0ed8942

SHA512
1563e4d2ce678465fb808e3f3674f395fc10219b34d790afd553ad940cad6ce55cd69980ab990df15273587e7808fdf9078a84987569d6829da6fa4c6801a873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
78de36bda646525610a3aa4ba2f61b8f

SHA1
323d902b026f3d92908020768c49d2f0f521dd90

SHA256
d3174d06d93da105417272d612ee240ffebbed04f876fc12dcf39d92717e747c

SHA512
af9fd814cbabaca5e986e5e1ce01eff42074f2230a1b155b5088981331c942ea3bc91e5b1c1416eef9f3a51c5c164d5cc03b8a944aa771c731e968d6c8123d04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
422cf5ec03f36406e0aa1f21e6576e40

SHA1
b507a664dcb7b700eb0d594514215e83a261f83d

SHA256
7d12e97a975a4df74c4b13e689fa113bc0003ca04956135f4947a40760a6d30d

SHA512
f4b824fa6e541e75b785e3909944fd80a45684a67ee10b6f11057eeb699564a8e1ee510a0b8a90ec2e447e095338354c922a9d2854ffd46178196ef14835d4da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1126634599314d01161a51db983a2475

SHA1
d054a372df5a87c31b3423f62555f3a49701ea01

SHA256
f11f5dfb1af74f160f3d26fd32923051ad39d2f41eaa867475f2ed7baff3c603

SHA512
904155b12428522def55e9582b400dfbfd5cfaf1a5a17a3428c221c53a2d8ea67049108c8173b7794abb4959132a409a8e4278a727f30077025702abb6360419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
1a1449288e9c66a43cd6d655df18e690

SHA1
58857f9f17b8f198b2eb116c03721b5a07fe0abe

SHA256
7e4e13d46955f676a6a063d2857de908f4aced3539230a55b9c3acb17f3218ac

SHA512
a9be87518fa31bc6c3aff009e6ce9be6acae0986f3d55b1c2cc7b4f128e8588499a63916461a1babafc3a03b67d32b2b9583ab9cffca0016ca1b749dcbfb46c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
60f691741c4f2b130365bfbe10b2d4bd

SHA1
bc1e3d6b421e43b0cd040f8eab2afacbe481ca44

SHA256
105e5bcf7328d3cb013e346962ae9383fed2a2b6d364ffe9d5205a1bf7ce96e1

SHA512
55db2b2e8c441b459422e77cf2a603e2cbcdf3a712390d0ed2e4a4a77f5b4761c09a57f4c6b84a2b18a50760bbcdf3732498f9d0db43c83df69dec0a218537da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b074.TMP

Filesize
48B

MD5
5465d67ba1aece2d30ccb50075a9a353

SHA1
2362ae38f2a1d4d6ef3c9976ed0396f0ca45731f

SHA256
10b4bbe46dfed5f2e97e8274e9a2c82e8bf047f891c77037d1db52330929c25d

SHA512
bdeaa2fa68f15029cdcee72d2bd14fce5d89422de1b883d68a01a4689cb1e61096336980ddbe5b1be03a71380ce4960c583456021c5256b5b1c7a7f19d4d1faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
ab7240da57607707c2618b97374aa2bc

SHA1
0d07ed71f1722da3cf9a5d1ac927baabf2f194e4

SHA256
6c1ead61026750e5984d4866a2d2f5339c4d3b3fb4309449cc34856a9a477aec

SHA512
fe2eff2584d0976244a555b2a09805d8edaa9f71f0ff4a0e08408be45c0a9c3e559b8df99d68ae3c99d8dcf961fde321f541070bf38a5bc1c82a1d4732fc52cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
787655d6fe89ec3ca4632808cb632697

SHA1
561a8075264e09b85a291d74dbb48f13156f0a87

SHA256
34151c70b8352080ff0c369fad64f65430e15b50e6a565c8030f32a7b1c8bc0f

SHA512
fe3ee8d0da94321765a739c5efe5fed25f4e75e543a454809e2c6d8c47527466abc64853805866e072238192de9325ae12a7e038ab18a7787d186e8421a19337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
e418f4856c3d12c0b8ee4e2358567416

SHA1
bce85fdfabbecff71b1ed4bbcae4c5ff716967c0

SHA256
dcaba43affd8a442af647db7c96ff56ffeaf95c422ef497573f216cfb57506ed

SHA512
f1dacc603d916a26b4b91fe341fe0b4f5cdb550cc47233bbe6b430321128beba8d6d54d49f10839df07876ae3d38e050c09e56bc22202b9e9fd18565cc1be093

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2020_1994720378\6640679f-7225-45d2-a6d9-e3f726d6c732.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Windows\536F.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/5732-14-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download
memory/5732-11-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download
memory/5732-3-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download