badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit[.]zip

Analysis

max time kernel
272s
max time network
280s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
20-03-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip

Score

10^/10

badrabbit mimikatz troldesh bootkit discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000687-328.dat	mimikatz

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 6 IoCs

pid	Process
568	5138.tmp
3472	AV.EXE
1784	AV2.EXE
3412	DB.EXE
1680	EN.EXE
1844	SB.EXE

Loads dropped DLL 3 IoCs

pid	Process
2528	rundll32.exe
2068	rundll32.exe
2392	rundll32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/232-512-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-513-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-514-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-516-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-515-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-522-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-541-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4048-542-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4048-543-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4048-544-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/232-545-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4048-546-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x000100000002a828-634.dat	upx
behavioral1/files/0x000100000002a828-647.dat	upx
behavioral1/memory/3412-661-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x000100000002a828-663.dat	upx
behavioral1/files/0x000100000002a829-656.dat	upx
behavioral1/memory/1680-667-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/3412-699-0x0000000000780000-0x0000000000813000-memory.dmp	upx
behavioral1/memory/1784-726-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
13	camo.githubusercontent.com
14	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
2	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wksprtPS7.exe	DB.EXE

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\5138.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3984	1784	WerFault.exe	133

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
352	schtasks.exe
4640	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AV.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
2456	msedge.exe
2456	msedge.exe
1440	identity_helper.exe
1440	identity_helper.exe
4048	msedge.exe
4048	msedge.exe
3976	msedge.exe
3976	msedge.exe
2528	rundll32.exe
2528	rundll32.exe
2528	rundll32.exe
2528	rundll32.exe
568	5138.tmp
568	5138.tmp
568	5138.tmp
568	5138.tmp
568	5138.tmp
568	5138.tmp
568	5138.tmp
2068	rundll32.exe
2068	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
2808	msedge.exe
2808	msedge.exe
232	[email protected]
232	[email protected]
232	[email protected]
232	[email protected]
4048	[email protected]
4048	[email protected]
4048	[email protected]
4048	[email protected]
3252	msedge.exe
3252	msedge.exe
3412	DB.EXE
3412	DB.EXE
3412	DB.EXE
3412	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2528	rundll32.exe
Token: SeDebugPrivilege	2528	rundll32.exe
Token: SeTcbPrivilege	2528	rundll32.exe
Token: SeDebugPrivilege	568	5138.tmp
Token: SeShutdownPrivilege	2068	rundll32.exe
Token: SeDebugPrivilege	2068	rundll32.exe
Token: SeTcbPrivilege	2068	rundll32.exe
Token: SeShutdownPrivilege	2392	rundll32.exe
Token: SeDebugPrivilege	2392	rundll32.exe
Token: SeTcbPrivilege	2392	rundll32.exe
Token: SeDebugPrivilege	3412	DB.EXE
Token: SeShutdownPrivilege	1844	SB.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2492	2456	msedge.exe	78
PID 2456 wrote to memory of 2492	2456	msedge.exe	78
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 3000	2456	msedge.exe	79
PID 2456 wrote to memory of 2388	2456	msedge.exe	80
PID 2456 wrote to memory of 2388	2456	msedge.exe	80
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81
PID 2456 wrote to memory of 2236	2456	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/BadRabbit.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd71663cb8,0x7ffd71663cc8,0x7ffd71663cd8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,13307181102145719606,12730090764676329306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:4292
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:4228
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3964270062 && exit"
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3964270062 && exit"
      4⤵
      Creates scheduled task(s)
      PID:352
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:16:00
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:16:00
      4⤵
      Creates scheduled task(s)
      PID:4640
- - C:\Windows\5138.tmp
    "C:\Windows\5138.tmp" \\.\pipe\{6A041B59-6222-4308-8E99-F10C17CA4721}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:2836
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
PID:1796
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\Downloads\NoMoreRansom\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Users\Admin\Downloads\Ana\[email protected]
"C:\Users\Admin\Downloads\Ana\[email protected]"
1⤵
PID:704
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Modifies system certificate store
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  PID:1784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 524
    3⤵
    - Program crash
    PID:3984
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins8640.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:4616
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1784 -ip 1784
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
1.8MB

MD5
cb6e4f6660706c29035189f8aacfe3f8

SHA1
7dd1e37a50d4bd7488a3966b8c7c2b99bba2c037

SHA256
3341abf6dbefb8aec171f3766a4a23f323ff207e1b031946ee4dbe6dbb2d45a4

SHA512
66c3351ce069a85c9a1b648d64883176983acd34c0d5ca78b5138b7edc2890b34408e8e6fa235258d98c105113d1978a68a15262d6523a82abb004f78b06de38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2f6b95edddafdedf6918d778075888ca

SHA1
44b066ef18fca3b780f34079066983da842bc876

SHA256
054d1ced8c43b50056aeab3a4d50acb467af297e2f1d01e294d1eff8ab1db31f

SHA512
084b6980720a8dd04095af2126013a4f29ae072d567800d35118f8b7fcbd20f74c257fda89af0080c00d7266ffb49a0f2ca60467b2ab4187c2a228fd515ccaf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0404cefc3311c7162db340c974071b31

SHA1
f1637d2ff3cd53d0108fe532517dd8a46781eb21

SHA256
2582966997adbb174f3a15c8a27cc0c419b803eb0cd8a966e3551e5309506e3a

SHA512
e023489b05c8d03cedc4903a8b56e8775b3211be1c9472b28d1c748c2633924af24a408488cb9c3433d1ad332180aa7af724032313ffd46952c604219dd467e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
c12b15a483c0460993a70267cac443d1

SHA1
21bc4a6522293b2fc1a064992ce52469dd0f1f5d

SHA256
e6eee8a6ae2c71b9c2aed187f2fdd41dd56354d38bb350cf780d518ec668f327

SHA512
60ee5a08a13f6ae9f0d50b3f9c2470d6349b88895eb1985d3f490e84833ad7c00d20644bd28f6f2bfff0a57e991baa1fe490c3f21e03e5015dc09738d76cfbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
4e6eee6abe6a3f3297ddd8ca650670ef

SHA1
0544fc508ff561abd4e33315f883bc41c8b5685a

SHA256
46f28ccc3cd6b55f21939c49e5e6de4e3fd243c666a4425ab998df253bf6227a

SHA512
f10f8f9d77c1d1799dea8016d1c1d879e917aa2f13f47b1b8d4d1523a25776ed06c49ecb513c5d025e0e3b95e614e04471ab7e4b0b0c3bf08030f7c4989c5852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78eb6f6420117d9437f34dc655ba7acc

SHA1
4aa952d701d935bd9e9d324bd43cc27044c019f3

SHA256
b74182428fcfe0328b5e0d01d3e8894df8f8e53edf959e7304628be87942c21a

SHA512
3b5fe223d5a9f3165af51e1bd3615c442e40e91bbe8045b3cc5b5e8894c3c93be93a3150680a935d74d77b2a4aa35adfb32b0320051d6d9b6d12b5cc7cfad6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f28fb68442af8b3f31250afd97e93a56

SHA1
5ad041460f7ac0d6cc046909b5fd4e20a0ae0c41

SHA256
9a2adabb7912deaadba48c353ddbcbb6a9b4e42166fe2bf3c87d4b77a450337d

SHA512
80f60bfad64a9311596ee4a4d30e9b998663576672f35f4f8f1b558556afb1259b542a2b168894803355e079907a544595099145ecdf1973c661e0d314a42490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53667de0a099689e9cce5c5e4a94e5a4

SHA1
885f750a606d443808d4cb935e6b4d4433c019c8

SHA256
072e987938e5ef9cffca7bfb14a8d872b8faa7e53e233d2b5496f8fe90ee0691

SHA512
6a76b4e6030e2996b0ccb289155116b3c23bc7b34825e82ba4711b2219f3cf66689ca0867eea465cdc51382b6afdbff25a717742042bd6fee85bbf4fb91d2c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f153664adc09ff5f4b4bc95759c9c770

SHA1
f2c2fa9566457e96bac7d8f323d9b4453a23ffe6

SHA256
1914572407717f71ac175e1f957eaa1017a114f4b2ac133590d2f8d6b92cde8e

SHA512
1bb009616cb0ab4cf3939221bb6816fe0d2822287dfd0307e8443390ba2520456a632c4bec9b35b9623780157ca151d62aeee39cf39ad375afddc3f0aa518664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df92f814411a065aa5c9faee550abbcb

SHA1
a251755cb2af9715fd07c1a407322ea9d53ab8d5

SHA256
f604e91ff5b54b624d41ada7f190c8c0ff6327f5b5e071f6c6be35c05f805fab

SHA512
0df1b10cb6de1a24824581a51d0c603514fe0fe6810443a3b90a8189fd73b304ff5e29e4952268f856e074ce8e49f5af300e99a4cb08c6a8c6d0a1866b529505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f4968943d54a264a8f66d8f6478b6646

SHA1
d93ccfa228d9f0c2f232190d76aacfb4b421c29a

SHA256
4a525eac6bc9ea2bd4c5759d7e02f14dd0be3f957b91d3950eb14738628f801a

SHA512
360636e05cec449a3b06c45b48b2fde8e095e310eaeeba3dec09c877ae0236237c1aac97d80e54202fe792d2c4e337f9e68a2111bbf02798a028029334cf02b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a579886595b67ae9eb3fb9f17ac210f1

SHA1
d9f7b50af07235170d3ad2fdcca9c0bee4188ee5

SHA256
8bf88962f36d7f2b63f8ea297a571941f465daad9a378b9dfb7d7d5ad96563f6

SHA512
76f3dddfb6195db89dc6cf44d7d1214c91a684ddc789e3b848857005ddc52f1671d922da6859d605fc747a5ad87601aa72b8c7bef2b375d51c25f1dd5b42113c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b08863719890a6149c124ecbace4491

SHA1
f8802024c3c34e00852ba3b1befd5be703991301

SHA256
429d4c70eb1633d45d2db2741d62c767022b36215374accc0392a9f21ba3e4f2

SHA512
357e0781a845faca3a3c9877ffe52f8d2c2ddfb1411a3f80cb4e33d38f6f0f00bf9603820e3a90049658f05d5f78a94bf6f0003591742120f2ab69f40a135732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ba67.TMP

Filesize
706B

MD5
68e578929fb1c5cc54dfe39d001f73b6

SHA1
904bee60349e0a400afeb25c3faa588667f7591a

SHA256
a3ecd0920782670d9c746bd999be1fd255832bda23e777fa90c21784433a6ca5

SHA512
17767b8d51a5310f4638a265bb5edcc2f67007fac6aa2ea93131b32d9a1c520eac74e6c7094f5b1a0279c680676ef775d85bf1ac3561f598ac9a0f060525c2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b50d9b952333e89843456e5dedc2f5c7

SHA1
fff927ac011ab0c375aabd03c42c35eb822cf8a6

SHA256
df6b346b37bb47164be9028d7395598f9cf0fdb1707e29d3df03e03acdae18a1

SHA512
346e24a041c580876a33c99853ae1eaa2419efe1dc02b9f496be996c68cb04269eb4a373fa5bae0be51ef3d845bf20baa167b413a86a1ae41a57a4274cc09491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
840640fc3304ec193b4daa8426d3f49f

SHA1
68dd1fc00bdcd981153c81082791b2746bab30b0

SHA256
4df2fb2436a37a30e515056412c9bc468554c1078197209458efd3ac0c2f5a5a

SHA512
0d16cf72e64fe628e919e589cc7f7f185f081a5c49d168a5a9341b3308a52e6cd6fe1e84cb03a7a35b21b4d73d7d0f1a8f0e030ac9aa6fc6dec09af333e499cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1bb4139dda6d8fbe3aa7ddf5cc6a1a26

SHA1
e3ab7db8a334af744a1f6cdc433f4f5dcdca0406

SHA256
2b57b9016d09b1ee864a345c4fd8df57cd6763179fbd28d619f9c3e157f2b204

SHA512
610686b02dbaa4b4da2ab3607dc99fd0a5a689011b1b4e68405d8a82a4d07f1632a72824c31550d6c9909d4af2d80070fdcbcb9263758f5894b0188acf3172e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ecd50384622481532174e0af97765677

SHA1
12aa1b8f48c69914b45f427a4dc3be9bfd2c7d7e

SHA256
e628894e40c4749b182cd42abf4399e30615fca660cf957c12683ac0c0337228

SHA512
bda54b3e2d6248d361a16b6772b35351d368f154d6eabad4da046c45232b0b52f1eca5791c431f57d602ea148af69a24e47075f8bebeafd91e60efb1fa2d694e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cd463f0051e322f06388f8ffe9c1d74e

SHA1
080d1b6345038c2cac3703690576372cfe309a78

SHA256
21e3a9869fc552cd421d9157008adb8eed5bb1f6e48dd88f6c6f93aa6e1eef0c

SHA512
c2fed617f05ad73e3419dbf9b31e251281399c4e2ba1301784b437c1d97e70e90a34371fa6ae05c5814e1502837edb65e9127d026261a422c143897302bde6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
576KB

MD5
4cc8479ebddff339496c56573e2ce287

SHA1
da8ed5aac29c0a593f4ff1c4e707b280a3631bf5

SHA256
a7828f1f3aa17c554b7616138cbd338af0554fb1727c766091007907d088cc9d

SHA512
e95253b95de5b1012dbfac615f10808916c0fa53d28379e50102fd2703900d47c2cbaf39db4a698776b8075b081ab5a125ceb7d64c471652af179c7399476d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
896KB

MD5
f7a0d3d2786c88bf120013e300ce4558

SHA1
2ad644817727dd81ce07b93f14bbec60ef31f2cd

SHA256
4ff19abd14c0557b8bfc5f41a8482ed68e156e8ff0e0620d43f5e6143dd4222c

SHA512
c20f16fcb8c3589195ac70490d0834453fd42b91dff76a7bcf88d31bc7d9dbe62e7562520b1a98634c39f34a13157b4b64f9d7212725997bea73ac03650fa61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
256KB

MD5
3e28081fdd99add090d596cf5e5d2f0c

SHA1
300d252accdbee369a970d56a649d3f3d47c70f4

SHA256
1e479998231b6c7c0ad1a25b19759196b4ca764f3f0daf2a6c7c014b86c59b30

SHA512
d4b9a6294296bdad59db68a4a449bda18d904f72e73170defed4f53060aa4b0e885198c19942a5ed9ebeebbdcac25bfa4822176ad11ea5e749c8c99f94b9feb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
64KB

MD5
9ea24c6453476b84947f59fa6286c67a

SHA1
915955825965f38523846f773d983c8085db8530

SHA256
da2f099f5ccef5a576f5c41f17887ab3430834cf4ee621ed578e334662b70e0b

SHA512
f0a4ab2c9032c84c4106493bdfe62659c4caaeb35a4cee85ea8aa2b20d5520b2be071115810f6421a983e4d67df47b58db2f0dd00f11f389ae739ffa5cb77332

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
128KB

MD5
e7b0066e62cbca76128f8b081dd257a0

SHA1
8386ce5030884d28eb6981c28a53b24ad729d23a

SHA256
fb990a20c209dd73d886f27ec125614aba5c86a5aeb2625b47d7ee1b01a68a23

SHA512
74ea810c11c7942ad8eb9627be7ce4cbda348b36557e32f2b5dc08d14fd2079534afc83e1ecc7bc20039480b080c483b9ee0ccbf3b8e0eee87627f72831aa60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~unins8640.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Ana\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
b35bc392518e8ef80911eb39c68a8537

SHA1
0e6f081aaf419717827c73ff41f0c3e099be454a

SHA256
0fcbecf1c190f13c77c2157a1a1df1cad40ff2fd75bb27147d287c2eca6d20c4

SHA512
7d900bfee2760d4908834bc10b6654ca2f5a924144bd5b576c02c5dd0a10f5ed9b8c1465da5466759f2828b76a082774df26291ae46e1079bd7a5d2b7b07164e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
123B

MD5
181406e103d2d11204b8e35b8a64ac6d

SHA1
6b78fc98b02f2f999a3e4f312b21fca67aa36adc

SHA256
98fa9357035c2a3352fa4fc23f670d8b0b18fda3309b25b6346b032031d58fc2

SHA512
1a00bd81ac7ec58342cc4d52b36fb55372d49697fc8fd87e4da1f7c26bcb0e243b961036ddef13937c033a8dd15372c769bf19da6358fce0154bc19975491819

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
126B

MD5
957688537adbc79e1108e7d67c5977ab

SHA1
88f62536f77651012f35f974ed7a814c22ec6272

SHA256
603e2714a5dfa5fe818c138b2e10f0f153c6cee0b741d4f60efd810af695f2b8

SHA512
05b1792f7798a53da9a36e95fd00bd97a50084637ef670e0fd78e2e93c6577c30d9eb64832d8bcee5098b39fa65dc1d90ee5a72414ef4a7551763b24a56d3cc6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 797191.crdownload

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Windows\5138.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/232-515-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-512-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-545-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-541-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-522-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-516-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-514-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/232-511-0x00000000022F0000-0x00000000023BE000-memory.dmp

Filesize
824KB

Download
memory/232-513-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1680-667-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1784-726-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1784-702-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1844-694-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1844-698-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1844-695-0x00000000006F0000-0x0000000000754000-memory.dmp

Filesize
400KB

Download
memory/1844-696-0x00000000006FB000-0x00000000006FC000-memory.dmp

Filesize
4KB

Download
memory/1844-692-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2068-369-0x0000000002FE0000-0x0000000003048000-memory.dmp

Filesize
416KB

Download
memory/2068-377-0x0000000002FE0000-0x0000000003048000-memory.dmp

Filesize
416KB

Download
memory/2392-390-0x00000000012E0000-0x0000000001348000-memory.dmp

Filesize
416KB

Download
memory/2392-398-0x00000000012E0000-0x0000000001348000-memory.dmp

Filesize
416KB

Download
memory/2528-311-0x0000000002F50000-0x0000000002FB8000-memory.dmp

Filesize
416KB

Download
memory/2528-319-0x0000000002F50000-0x0000000002FB8000-memory.dmp

Filesize
416KB

Download
memory/2528-322-0x0000000002F50000-0x0000000002FB8000-memory.dmp

Filesize
416KB

Download
memory/3412-699-0x0000000000780000-0x0000000000813000-memory.dmp

Filesize
588KB

Download
memory/3412-661-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3412-689-0x0000000000550000-0x0000000000581000-memory.dmp

Filesize
196KB

Download
memory/3412-700-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3472-676-0x0000000072EB0000-0x0000000073461000-memory.dmp

Filesize
5.7MB

Download
memory/3472-697-0x0000000072EB0000-0x0000000073461000-memory.dmp

Filesize
5.7MB

Download
memory/3472-671-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/3472-732-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/4048-546-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4048-543-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4048-542-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4048-544-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download