Overview
overview
10Static
static
3Ransomware.7ev3n.exe
windows7-x64
Ransomware.7ev3n.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10MalwareCol...om.zip
windows7-x64
1MalwareCol...om.zip
windows10-2004-x64
1MalwareCol...v1.zip
windows7-x64
1MalwareCol...v1.zip
windows10-2004-x64
1MalwareCol...00.zip
windows7-x64
1MalwareCol...00.zip
windows10-2004-x64
1MalwareCol....0.zip
windows7-x64
1MalwareCol....0.zip
windows10-2004-x64
1MalwareCol....A.zip
windows7-x64
1MalwareCol....A.zip
windows10-2004-x64
1Analysis
-
max time kernel
332s -
max time network
335s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.7ev3n.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Ransomware.7ev3n.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
Ransomware.BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware.BadRabbit.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
Ransomware.CoronaVirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Ransomware.CoronaVirus.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
Ransomware.CryptoLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Ransomware.CryptoLocker.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
MalwareCollection-master/Trojan/Trojan.000.zip
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MalwareCollection-master/Trojan/Trojan.000.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip
Resource
win10v2004-20240221-en
General
-
Target
Ransomware.BadRabbit.exe
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral4/files/0x00060000000231f0-20.dat mimikatz -
Blocklisted process makes network request 1 IoCs
flow pid Process 471 4620 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 4920 3A1B.tmp -
Loads dropped DLL 1 IoCs
pid Process 4620 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat Ransomware.BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\3A1B.tmp rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4368 schtasks.exe 3852 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1712835645-2080934712-2142796781-1000\{AD260F7C-24C3-43E9-9BFE-BC406DED7235} msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2532 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4620 rundll32.exe 4620 rundll32.exe 4620 rundll32.exe 4620 rundll32.exe 4920 3A1B.tmp 4920 3A1B.tmp 4920 3A1B.tmp 4920 3A1B.tmp 4920 3A1B.tmp 4920 3A1B.tmp 2172 msedge.exe 2172 msedge.exe 3156 msedge.exe 3156 msedge.exe 676 msedge.exe 676 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 4620 rundll32.exe Token: SeDebugPrivilege 4620 rundll32.exe Token: SeTcbPrivilege 4620 rundll32.exe Token: SeDebugPrivilege 4920 3A1B.tmp -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe 3156 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2532 POWERPNT.EXE 2532 POWERPNT.EXE 2532 POWERPNT.EXE 2532 POWERPNT.EXE 2532 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4620 3580 Ransomware.BadRabbit.exe 89 PID 3580 wrote to memory of 4620 3580 Ransomware.BadRabbit.exe 89 PID 3580 wrote to memory of 4620 3580 Ransomware.BadRabbit.exe 89 PID 4620 wrote to memory of 4080 4620 rundll32.exe 90 PID 4620 wrote to memory of 4080 4620 rundll32.exe 90 PID 4620 wrote to memory of 4080 4620 rundll32.exe 90 PID 4080 wrote to memory of 3604 4080 cmd.exe 92 PID 4080 wrote to memory of 3604 4080 cmd.exe 92 PID 4080 wrote to memory of 3604 4080 cmd.exe 92 PID 4620 wrote to memory of 3196 4620 rundll32.exe 96 PID 4620 wrote to memory of 3196 4620 rundll32.exe 96 PID 4620 wrote to memory of 3196 4620 rundll32.exe 96 PID 4620 wrote to memory of 1524 4620 rundll32.exe 98 PID 4620 wrote to memory of 1524 4620 rundll32.exe 98 PID 4620 wrote to memory of 1524 4620 rundll32.exe 98 PID 3196 wrote to memory of 4368 3196 cmd.exe 100 PID 3196 wrote to memory of 4368 3196 cmd.exe 100 PID 3196 wrote to memory of 4368 3196 cmd.exe 100 PID 4620 wrote to memory of 4920 4620 rundll32.exe 101 PID 4620 wrote to memory of 4920 4620 rundll32.exe 101 PID 1524 wrote to memory of 3852 1524 cmd.exe 104 PID 1524 wrote to memory of 3852 1524 cmd.exe 104 PID 1524 wrote to memory of 3852 1524 cmd.exe 104 PID 3156 wrote to memory of 4368 3156 msedge.exe 115 PID 3156 wrote to memory of 4368 3156 msedge.exe 115 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 PID 3156 wrote to memory of 4128 3156 msedge.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.BadRabbit.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:3604
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3633636346 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3633636346 && exit"4⤵
- Creates scheduled task(s)
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:49:003⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:49:004⤵
- Creates scheduled task(s)
PID:3852
-
-
-
C:\Windows\3A1B.tmp"C:\Windows\3A1B.tmp" \\.\pipe\{1E7033FE-E390-4DC8-9539-D4BBABED237B}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\HideFind.potm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnlockUninstall.mhtml1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9b4d546f8,0x7ff9b4d54708,0x7ff9b4d547182⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:22⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3368 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3392 /prefetch:82⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:12⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4671154475901101134,2006564111818396221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:6048
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e189354a800c436e6cec7c07e6c0feea
SHA15c84fbda33c9276736ff3cb01d30ff34b032f781
SHA256826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427
SHA512ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4
-
Filesize
152B
MD5b9e3e150cfe464e9ebf0a6db1aa5e7a2
SHA13cb184e2781c07ac000661bf82e3857a83601813
SHA2562325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc
SHA512f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
Filesize
30KB
MD5452cee87a193d291cf0394c0a8f961c9
SHA15ed43fad7737f776e85433d7fe7aa70d37eb4606
SHA2566c31786e9b268be9d7e56b3e519845551550a8b0df4d3f55fbaf947378446c61
SHA512355afabaa3be9194b4d47800be51e0ccecd9a857364fa57063b0866ee7595d33def0aed28eff297e582d16978e1ffb61921f3ee723e7c5e940dd48197b472500
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
960KB
MD5c9aed1beb7547373eae1959e78776cd5
SHA180db2f7c75bacf654afb23cfaf602ea01d1c9d24
SHA256b1d062b4229b56d9d81ac1cb1134c98cfbc2fbc6fd62953c440eb78151be4e1f
SHA512ee6621bfbec68b6612a9c96bda4dc3b13d14b4ed93c121a5d87d4f94664f7a95227e3b4e12fde12f99722e80841044f239b4839765d085c50a17f5a7608f63f5
-
Filesize
16KB
MD548c80c7c28b5b00a8b4ff94a22b72fe3
SHA1d57303c2ad2fd5cedc5cb20f264a6965a7819cee
SHA2566e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356
SHA512c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5800b5dd0dd138d786307bcedd5c213dd
SHA1f3f23e8ec99c6c2e99f7d8777b08cc6127b465b2
SHA2568b0e392133a24ab8bed89adecc84646f1d4ff4bdfcc50d7714d4ab5ceb6d3fa4
SHA512068ea922916b3b165823aaf67908716c9ca56c179fd1eb464a4ef92cc51e284c10e922c8a4d509f09ef45f27a4a3f5cb20ac9273a81ef83a2d993ce5c48a72a6
-
Filesize
2KB
MD5a64daec7e860576bce489ea633cca6e2
SHA1f626c099ce20ec906ad8cf22d73483f2ba99c593
SHA256e1faa3e9551517198b66bc32af78411daf48297760f077dd2c2e405029682783
SHA512a2eb887955c26c688c3e0ee8b0f445d92bacd9c94bfd7b1c40733adb3b16823a82e6b96568fefd86281d71f24323648b14951a2c4a50ee3af7bcf669c7cf56a2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD51d6c81c6f72096b8aa055c81f42a8356
SHA11d1acb94e6c334417f1336547d4631b686340dcd
SHA256e88c07247aa5db0af54189ea1114087a9b5fdb2b215838922e6cc2d60fb0280b
SHA512c8c9b4fb70ce2c4d499e36cab816420e5fe2e0a830a21a949b08d11136cb55ebee88190ae5a9324577a60f119c6a7adffa160cd95808908e9b0a683a76844948
-
Filesize
6KB
MD598e82bec27a4d57f450de4cd3439a430
SHA1198db6a0a1b78fa51d1f0f6e6a4adacd87f291e4
SHA256a6ceef6b5cb1dcee6d86a45a4a07b9773c0188d1a5f577628a29c99fb894762d
SHA51253857ecca6b3d990e5b35bba47d05cc4b70223c5d77177f8bad49fb3decd172510591c32b4283520caeec82aa807ea51c1f0332b205e798286de306d88497e4a
-
Filesize
7KB
MD5919faa8f58e1d0016ddea6aca57a8f9a
SHA1abf7e90b15e61a3b1d8c60808203259fbaee42dd
SHA256595544b88aaa4f5a1815af351c72a751a09b72b55325bb630652d606c23c40ab
SHA5120bbbad8a93ca46b0c9dfdaa06a2eeab428252326e98c8e6182bd6f2b2113d22fd2c1d69bba86b13566ed3a779a02e834cad7330d1b500e513baa814a3d8ef54a
-
Filesize
8KB
MD519b8ec577999330794ef1af8dbcba321
SHA1030ded2d7e0fe29e5697b7e6d6ae0f6c0acdf684
SHA256409c01a33569c3f7589e8a0cd68d4a740c996817038e6bdb021d2ef73957d4b4
SHA51253d72c9bb65f4a957ebbd8964afa717db0137e0b36771424b66cace7763c45a9c529752da0a6f361345008de4383a823316035b7ddd24d76c26b807efb564409
-
Filesize
8KB
MD5ce067107943e8ca217f99ef745fe3560
SHA1275d3d32c954eb16e46315aa24fcd4f90fa90f2e
SHA2560ce0f2778ad99f093d35ac53757d429bf15ba6ff86a048a54c702d57195c07ce
SHA51230e257b9e04086aa6d322892bf1936ca42a87b4092b6a6f95e24f93ab2654a56ea5e760844d5ce5491cf001bdceff9dc6fa40804ead8782d6e9810559398a2e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5986a4d030e9e9f94746904f8875cdf04
SHA16d5247e6d55c448d4b69b6454d2eb1230188e1bc
SHA2563a0ae5660cac3b96a8886925a099612aef80d6e71fa275be7f768a42d2a42665
SHA51241a883c04abf92cfdaaf7a01d4504eebea35160a9c51c84ee83c78a97bfdf387edbcd9e0e70f102f69fab7d43935aec23d928a2b78abd587699253a99820c75e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584a04.TMP
Filesize48B
MD52d481086c35bc8c1447c20ba529ad6a8
SHA1b598c29f613048b2390dec9ed6118bc1362d02e8
SHA2568d5fe30633e7e5f34197bc7f1e333ef3ca9c22c372d0fbc08868957491708bf9
SHA512ab504aa9ec6f36eb98e7f28935a56eacc9dbef080d605dc499730acb61a88cbfcb025c8bab31d59860d9be9c2ff063b9fda83f0e39b0acb2d12b20c3087aaa31
-
Filesize
1KB
MD5e444773c93b01d0d9fdf535d49f0028e
SHA1e2a9a561c2da92b1c4adeb3f573417b10a4a32b0
SHA256f913764a9464eedc421d625fd530db2a7b31e98890fd9637f92a64227f5c96e0
SHA512dc1f672e7dd478ad4dd9840d33daf679ae57c60f81fc7d03fd7d23e9db07df06dc836f606ced4068a984d814fdb72d226aaa96f6a9bb9689b2a0805515736127
-
Filesize
1KB
MD50dfb5b97e5d5048957a699047be56442
SHA1909ff280e3c0889b8c15c647d32ae5d332d4261c
SHA25650eb92a31b5715c006dff4958cd5c2dadfc0146c91d75791425af8123cab0ee3
SHA512628289d1e9106e19ee260167c388ea59624e7f6cdec0088352375f881efc8ad112725fb4332aa5cfabc434410a53ccb68e47998e1989e65f8eb0cc1c1ea4cb6b
-
Filesize
538B
MD5adc589499fba3d516d5eaf8d0c88cb20
SHA1256c4f982ce821e93d4da55e5695f13a901bc7e9
SHA25624ca4fc9b8d2669edf366f374b1acaf44e81ab0112a4f56efc6c8ce05d597444
SHA512508d8adc39cebff7d7601ad4f4608c9e59f5fddde24a7058b4e2fd9b8aa87ed7a4385ea76d74fc221ef642a14b0a7c922c8f998f98aa7254fb8fd0806d679dc5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ac4dd3f7187f48c42b8f9dc69077c55c
SHA167a94a12543b6fe629727facbba6ebae833b6fb3
SHA2564bb7441ba15202945b59f7576b1f58cdbdd6883a42def5b2c41e359f005a3914
SHA51239600ef8465e40e371f467ff503c03b89075c9b0426efb67ca7e378ee0a54a894527160d1bf53f4291b1bfdbc3b313b405638ecfb658ffcabef7921ad579f4d0
-
Filesize
11KB
MD517237b1b022d8c3309b2dc53c661a820
SHA1898813867d071699b324283634a9e65e85acf3eb
SHA25656a611f8da6cb8d685a6914f2c9ed26097ef375cfad7ce36a6bf5939f4c76445
SHA512508f0fc2c27bdd258d283abd2b7bbd2ea0ac8dc05da746d8df2238028fe21f9b496d56019faf2018d6bf1474a4c6b43145428d644f4cdcee55e1c23418ba1a9d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51d06b95fef853ec493e73f3a0746168a
SHA1bcc6011e77732ff25011639c93f303a8ad9f426d
SHA2560381080b335c7d5ae6e6b6ce7a9e147aa638743e19844e5c4f80e538b4078969
SHA5128337abcefba3514236e66879314ba2a089a7e01e07393e3ad0f27cc54e1c5d5ce3d24f969f6e7ba0885f9c0df5ddfd9fdf9c7a1b9c3c1b19fa35eaa05f389a81
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD59e594ae1e52b864d8aff0366c10956f7
SHA1cd40b2a140c9156b293fc5e01f2f9a7fda7b4158
SHA256ddc18b029e4bde0878507e3258eaa8d3e5b35672f8d636b754923e005623b738
SHA5127891f172d2e5500ac20cd495a440edd8a3b6728861ce3b0bc127e84b1351b9194ef9ef1e0dc2126de0cc6416bd47d3e02e0ae469abd0fa74f226ad7cd0079af2
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113