badrabbit | hxxps://online-fix[.]me/

Resubmissions

11/04/2025, 06:58

250411-hrmkyasl18 10

11/04/2025, 06:53

250411-hn1ndsssat 10

11/04/2025, 06:50

250411-hmepjaslt2 6

Analysis

max time kernel
200s
max time network
201s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
11/04/2025, 06:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://online-fix.me/

Score

10^/10

badrabbit mimikatz troldesh bootkit discovery execution persistence ransomware trojan upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b35d-1040.dat	mimikatz

Executes dropped EXE 3 IoCs

pid	Process
5556	C6A6.tmp
4620	csrss.exe
4868	sys3.exe

Loads dropped DLL 1 IoCs

pid	Process
5388	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
12	discord.com
128	raw.githubusercontent.com
129	raw.githubusercontent.com
1	discord.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	[email protected]
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3152-1139-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3152-1140-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\C6A6.tmp	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "23"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-649025904-2769175349-3954215257-1000\{605D5D19-1072-4342-8DA9-F44135FB4DED}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA	[email protected]

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3184	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5388	rundll32.exe
5388	rundll32.exe
5388	rundll32.exe
5388	rundll32.exe
5556	C6A6.tmp
5556	C6A6.tmp
5556	C6A6.tmp
5556	C6A6.tmp
5556	C6A6.tmp
5556	C6A6.tmp
5556	C6A6.tmp
4868	chrome.exe
4868	chrome.exe
3152	[email protected]
3152	[email protected]
3152	[email protected]
3152	[email protected]
4620	csrss.exe
4620	csrss.exe
4620	csrss.exe
4620	csrss.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe
Token: SeShutdownPrivilege	5932	chrome.exe
Token: SeCreatePagefilePrivilege	5932	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe
5932	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5932 wrote to memory of 3492	5932	chrome.exe	78
PID 5932 wrote to memory of 3492	5932	chrome.exe	78
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 5768	5932	chrome.exe	79
PID 5932 wrote to memory of 3264	5932	chrome.exe	80
PID 5932 wrote to memory of 3264	5932	chrome.exe	80
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81
PID 5932 wrote to memory of 1496	5932	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://online-fix.me/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc42f0dcf8,0x7ffc42f0dd04,0x7ffc42f0dd10
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1924,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2256 /prefetch:11
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2324 /prefetch:13
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4228 /prefetch:9
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4964,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5040,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5260,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5252 /prefetch:12
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5472,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5596,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6304,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6320 /prefetch:14
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6520,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5056,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4784 /prefetch:14
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5128,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4784,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5700,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4696 /prefetch:14
  2⤵
  - Modifies registry class
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5480,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6444,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5500,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6796,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5076 /prefetch:14
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6900 /prefetch:14
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5076 /prefetch:14
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6888,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7000,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6804 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=7160,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5076 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6320,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5792 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6424,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6908 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7152,i,2629582175793031292,9136504289888967100,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6976 /prefetch:14
  2⤵
  PID:4768

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8
1⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5652
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 888465626 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4172
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 888465626 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:13:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:13:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3184
- - C:\Windows\C6A6.tmp
    "C:\Windows\C6A6.tmp" \\.\pipe\{4FB8C20C-CED2-4C85-89FC-7C77FBEAEEE6}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5556
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Windows\csrss.exe"
1⤵
PID:1536
- C:\ProgramData\Windows\csrss.exe
  C:\ProgramData\Windows\csrss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4620

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnregisterDisable.js"
1⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3568
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:4868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39dd855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-649025904-2769175349-3954215257-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
4c7740ea9663e9dcb87aae7d46368ce7

SHA1
9ec4b1629d1e6342be792bd80e16521b79434667

SHA256
1c41fc8d859e1830a6b2a1203343b24be08dadfb343cc3402bc74e1054641820

SHA512
7fcb240b02f424267a8f0b70b1cb1be0e3f9bb33215902e5bebfc7756e9a09bc6a63073b93b0a6d4e826a1841568b3ee969c8065d6bfa3c8b830954edfbe3e32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
026d7de21975aca691cbb18703b97e6e

SHA1
199f3bc508154c2f28a0fef658f4a27ba5d4cf18

SHA256
80a1996197136ef577812efbd0df72b6a9f454b0f92c95475f151eeb0a08ef5a

SHA512
6d9f4820a5eb3f2eb0d6590303fa35f94f8ea78e09b4c341df4813ebd1c8168612e2417cde3d72f050a60f0368193cab93f0e13621ae04ac541f22040501c931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\834fc10d-b3fe-4fb7-9e1a-0761680a64ec.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
72f8c74f3b270b1456a71b2f86a3ee33

SHA1
43ac352803f988cf2a813741d0bc01f272357c9c

SHA256
d4f5415400efa5fc3e34e45b21c1b2acf76a4a0333a142bb96228d24190f9881

SHA512
c174d9a4340890bf66b7e573dc02d6605ebe0b3fea0eac1d07147cb6c86556df81e0f75baced59b7882f80b49e64fa5aa971ba89abe1a183bdf980b37bff7b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e0bd9302f0b6df6e8770a227805ba899

SHA1
ccfe01ef85f3c46a02b2ea295239a4f8b373351b

SHA256
482fa3cdddd698af00012118bd4283b712fa0d2a98a12b373273725170be6ad7

SHA512
01957d0bcc4dc00cbefd2d82b9bec65b361b829951938784c110dd5122acc53f8d983e16a4213416ad881e66098a692897b01fbd83587fc0cb14bf6fa5c2524d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
17ec6bfacf790429f865406ddc5ea8fa

SHA1
68ceaaa5803720a266f79b1fd49753ea52659928

SHA256
46da0e3424ba47cce67346f941f45f820d1f222917b5a7e31230a4e7c292688b

SHA512
4738258a5e61ce6ca4d0f17b4cfdda563b7f6afbbd93f33a1822993c06e70df09eae93d719658d3e9aa61ca121f211bad4e07a3cc1954c6c48d1f923212aa35a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cafaef542df9aa2527b937abc98ecb3b

SHA1
bb596eedca06f119724a633cbec9242ed74289e7

SHA256
ac88fb8180dee272914de5a129a632a22d3a3b13027a66eea63b0a2b73bd2fff

SHA512
04d1bacadf8009bacf33a1c26e99155e50559e9214f263bbceaf22fa652ecb05fefaa20b02c0f70a123f1fa7b24e748b7b4fc88c22a089bc65a8b78900f6d740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
40858bdf063d77f6d3d8029e5033240a

SHA1
08282e884e5983f8fc2ff9a604e16c7916c28819

SHA256
6424de434a707b1463734570727bb2cd04ec0766c043105830ea83048a4c4840

SHA512
dccf7e54e91590cbfd4682d2ffd2d74e12efdf23912f26353c4969e70187ccf65d80b80727bd4d1c1bac3b478119eb0ad31db52a0b35f5a843dc9477e386591a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0ed15f7404bf5cc489c434ef00b0f9e0

SHA1
4b01142525fca49139ef12089dd86a2661755155

SHA256
d824dd5f24bab9d497ac47de9155b487d2e641d002a8aca454d419650c039446

SHA512
a8778231c7b046e631131acbe31ec43d13453ad5fcb8b25be366c6076bf37b7bd2e6cba86de0fa92a5dae9c3cd9d77835cd246058e4bb5dc61a5ea2ad22872ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2394197c7f20f980bd4633a3de8136d9

SHA1
071afa17ea2830d88b979516596ea5021bca89b9

SHA256
38bb7feea8f2c1e318ca24ef7baa28c0f423612e8b4d7b39a30472fa4aad5e74

SHA512
255b5c2c255b2de504592b5422510e520d1a5a84d5c48bf3ff6ae5abd79ba6384fb8549bb36af97d31c65acbbb4bd02d0f155fb8b4d70f4e423e8d34e984fe81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2727eac677fc1789cc2eaa5d4ae18907

SHA1
042ef0b093124efe2074240a5d40ea37075205ac

SHA256
0661c0258c5b9eea9315f33fdf8072004f2092c530ced1041d1290d5442eac2e

SHA512
a57cfa453bf2da603fdfef77773cf2730fb8e26a23579c13e1d4c5f767e4334d90b76d6378ac293433ea89615ec6c205b17e3b7d1d2f712795af70bad0c6e815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2cf64c43d8dce48531d3b07ab97227f5

SHA1
0efe4ba208752ce6091bf24adfd196b99bf646a6

SHA256
b84a3eb03c2a7fb3d44b995ec92bf8ec161d052a7b90fc8bf6eca116917f66ca

SHA512
c2675038a50e844d79c1791908feaddcb1b507cf13f5c9c576358c7cdc40a1c6eb9754cddd74fe129f032887ba5123d2caf35e403c5e063ea5790098406ac0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
eebab84524ada6b11bec74ef3b554a3e

SHA1
a8ee6890df96ad384238a3289a026d2c55affd9d

SHA256
df5b50bc085da09dc89536fc118eeb3415e5316001315555370003d63479c72e

SHA512
bc87d844be774d51d93ee6d56653f792aa9d81ec4d35af284c580adda3d05252ce500fc208098f12e160d9ac0233222134513bc0929c3f1b8cad0e12ff6e429b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
26393dbd3d3ff29cd944d9a67b8578aa

SHA1
4e850a01f8450ea311a123e2ca4465fc6047338a

SHA256
f15867d341b5fa45b1ac63c07def7cc24ba21ba1625e8142151281131f6d360d

SHA512
eabb9fab3a4f8645b3cf230539c7afd0c03a9e2aa4aea91fb8f89059e73c3b18ea6c2cf20e624e7d11eb02271a298d544d95f161d5f324db6a00311185b6119d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d06f.TMP

Filesize
48B

MD5
05433ee0291be6f93d25f5f6b8b2c491

SHA1
6dbb6ab54ae80ac9a6d991d0b2167848aed97984

SHA256
4f63052f8c87af9fff014a981abe56b64ebaad258ac5c3c7b0b34073aed79d8d

SHA512
b708b039fb7de3606c1f5242eb01a956a864c8c89960fdc8e5e3ef0a8b154b85c7ad5742aa12e34d132898abb60f507edf0039bf0f6535396c0486dbc60f60d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
82B

MD5
2ff1ac7d3be5cbc8391108dcdfaa02a1

SHA1
78ff5a5538335c3e87ac72878922f5ecfef193e9

SHA256
b7dd564d443059d96530e58e2c6685472cea90e67c29e76fafa761d85455e6ba

SHA512
a20a08af8fbab8e109417df491bef7ac3cd1dd905383ccae7ec80d9b337eb595f1c24b23680b16289d635349af6ef01e269c4f39f65cc898705697878e6292b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe57e5eb.TMP

Filesize
146B

MD5
23098c1cc21569db8fd9136050de58d4

SHA1
a33a5c057a14f9572dc87d73a356f17a48bd1c25

SHA256
932ee3bb877de4287a3c3631c794a5aa5fa07922083c9f835739e41f5e9d6a91

SHA512
ccff77f6ec057d70c967e90ec196cc5dac3e45dd85b61690e5f94e7312bc08cca749be32027d0e5174c1517908ccb46ed0c35bd4ba5846621cf9c84f0210025b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
72d4da740f7832960f7cf25f7561364c

SHA1
ff94fde0ad242ec98b97db170f060e7fc347af5e

SHA256
dc5cfa246c2951fea5ef00bbdc8f91377f51a32f22f9cd59687a519e2b4b58e4

SHA512
71478711035311208e578591c4cdd3d37c5513a1cf8b65d2412cc0dba63e8bf20d1657e5421aa0c8165a4d1c287ad0ac0885e35a2e5f3f9f2c340640d32bb68d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
80c032be5b4bc97140676a80cb105c8a

SHA1
e38236fbce048424ec9690580f43cb1ea9eca1e2

SHA256
08489b7ce3b3b2ccd2a0d399c4d2d950d2f88f9ff5cf09eb4eb2977ac44805fa

SHA512
428dbc9390ced2b4adb4bcc5797787bbd1b4dfb887c84d260f800bddfda5054f616f33584489c676672b16746675a5568bb29250d61f3af927a332c8e8a8d5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
80B

MD5
34e19002be90417747f58e44cc1700ea

SHA1
6833d1e76b4e78f5a25cc9e74df2505b8c2956d2

SHA256
18cba779ba620fc897cc5adf01a88582f240765119e1e459da76709454355b06

SHA512
1ed2cec9f6c56d5d6cdd16a89b23fcabe0f3906a8924ad7f005f3fa1904b26d412fe76b12eb846ff8eb1ce092c22dad173741d43daa54160ef3620acb9df8133

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
126B

MD5
957688537adbc79e1108e7d67c5977ab

SHA1
88f62536f77651012f35f974ed7a814c22ec6272

SHA256
603e2714a5dfa5fe818c138b2e10f0f153c6cee0b741d4f60efd810af695f2b8

SHA512
05b1792f7798a53da9a36e95fd00bd97a50084637ef670e0fd78e2e93c6577c30d9eb64832d8bcee5098b39fa65dc1d90ee5a72414ef4a7551763b24a56d3cc6

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip

Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\C6A6.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3152-1140-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3152-1139-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3568-1200-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/4868-1202-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5388-1034-0x0000000002080000-0x00000000020E8000-memory.dmp

Filesize
416KB

Download
memory/5388-1031-0x0000000002080000-0x00000000020E8000-memory.dmp

Filesize
416KB

Download
memory/5388-1023-0x0000000002080000-0x00000000020E8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads