badrabbit | ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

Analysis

max time kernel
120s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05/04/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0002000000029e10-21.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
2444	8CDE.tmp

Loads dropped DLL 1 IoCs

pid	Process
2684	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\8CDE.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4052	schtasks.exe
3060	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{D75A2987-CCEA-4368-80DB-97C8416FACB1}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\cat-blue-eyes.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\cat-ceiling.jpg:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2684	rundll32.exe
2684	rundll32.exe
2684	rundll32.exe
2684	rundll32.exe
2444	8CDE.tmp
2444	8CDE.tmp
2444	8CDE.tmp
2444	8CDE.tmp
2444	8CDE.tmp
2444	8CDE.tmp
2412	msedge.exe
2412	msedge.exe
4044	msedge.exe
4044	msedge.exe
5036	msedge.exe
5036	msedge.exe
4256	identity_helper.exe
4256	identity_helper.exe
1524	msedge.exe
1524	msedge.exe
3024	msedge.exe
3024	msedge.exe
5356	msedge.exe
5356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2684	rundll32.exe
Token: SeDebugPrivilege	2684	rundll32.exe
Token: SeTcbPrivilege	2684	rundll32.exe
Token: SeDebugPrivilege	2444	8CDE.tmp
Token: 33	4468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4468	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2684	2228	[email protected]	80
PID 2228 wrote to memory of 2684	2228	[email protected]	80
PID 2228 wrote to memory of 2684	2228	[email protected]	80
PID 2684 wrote to memory of 3080	2684	rundll32.exe	81
PID 2684 wrote to memory of 3080	2684	rundll32.exe	81
PID 2684 wrote to memory of 3080	2684	rundll32.exe	81
PID 3080 wrote to memory of 912	3080	cmd.exe	83
PID 3080 wrote to memory of 912	3080	cmd.exe	83
PID 3080 wrote to memory of 912	3080	cmd.exe	83
PID 2684 wrote to memory of 4824	2684	rundll32.exe	86
PID 2684 wrote to memory of 4824	2684	rundll32.exe	86
PID 2684 wrote to memory of 4824	2684	rundll32.exe	86
PID 4824 wrote to memory of 4052	4824	cmd.exe	88
PID 4824 wrote to memory of 4052	4824	cmd.exe	88
PID 4824 wrote to memory of 4052	4824	cmd.exe	88
PID 2684 wrote to memory of 1368	2684	rundll32.exe	89
PID 2684 wrote to memory of 1368	2684	rundll32.exe	89
PID 2684 wrote to memory of 1368	2684	rundll32.exe	89
PID 2684 wrote to memory of 2444	2684	rundll32.exe	91
PID 2684 wrote to memory of 2444	2684	rundll32.exe	91
PID 1368 wrote to memory of 3060	1368	cmd.exe	93
PID 1368 wrote to memory of 3060	1368	cmd.exe	93
PID 1368 wrote to memory of 3060	1368	cmd.exe	93
PID 4044 wrote to memory of 1988	4044	msedge.exe	97
PID 4044 wrote to memory of 1988	4044	msedge.exe	97
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98
PID 4044 wrote to memory of 704	4044	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:912
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2571996363 && exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2571996363 && exit"
      4⤵
      Creates scheduled task(s)
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:00
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:00
      4⤵
      Creates scheduled task(s)
      PID:3060
- - C:\Windows\8CDE.tmp
    "C:\Windows\8CDE.tmp" \\.\pipe\{9EBC2D35-254B-42EE-A151-99BB53FD6449}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1d173cb8,0x7ffb1d173cc8,0x7ffb1d173cd8
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7572 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8464 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:5496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
437a813327b3d60333ff153b42ab17f8

SHA1
fcc7f22be6ff0d1b9287c7dd194b1958ec6217f6

SHA256
103942089c668e49f90ce0546b6adad55980c564304b5cf2ec9b7ac2017abbe1

SHA512
ee96e4f926f7ff80ef2b40a54e60dc2f50b47589d7a034db599e930a54f10b0e85995d6921224624421873981ba156bf505226b7f5771781dbcecc985b861dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
7662fcaf70fc5714ccad28ad46cf8802

SHA1
70760ddbe0e42d9637a81a96bfbf246a19fa067f

SHA256
f867888eb6002610b8dd777fde8a28517da1d4835af4d056b6ce929b8d4d7a46

SHA512
7dd74d47d4b18c11da6ecdbb624f7c8362ba71e50b6bd3e74411ea7a643aa41b4e1d93772944565fd7e54ae55ecabbbbe315ca1ed4300ffd8d216c131061ff0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
45dee8019dcccda6119d7fd42de4b780

SHA1
0951b22f51e3818eaf84e26491180fedf7f07902

SHA256
83e65a1e978e9f52ef679783e441486485ad8656b7baf74b145117f75a5d4aee

SHA512
70c2533166259c03b992b771e157737a3def976ebe6b55cd7cd31e7fac1221c3f5c4f77f7ea2705d4cdfcb07a822dd277be108b78f2f1d198fa357995850b3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
1024KB

MD5
66e8d3f233fbcef98b88e11acbcf6ba6

SHA1
2b8b441695468ffcceafc2c4820a64632a98ced3

SHA256
28e490622aa7aa0a7ca15f3b804ec193205908d99b1402594b08252d71e7c731

SHA512
d151aaa04e68f4f19fc403620eb68525bd3e064b298ac6482917908e14e28f7b9970e8651621c682ec8cd04bf963cd716a5decdc43234863415c9c753015ffdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0c26c3e8bc2255b6aaf339d83bae45e5

SHA1
ac73883347affd6172ad199df1ef200a9a2fe2af

SHA256
443d515aa35d6c4c15c170159b25f0de47055220bfc071fe9eb3ecfeac0e033e

SHA512
a02e9703bc1b3a15d61fcd7ff3cb53f8fa1483f83d1e283d3e5a2b5e7ddc38494f1c3e46f2f9393dc2500c2bf80b9b479ac87b7ca1d4431d286ca67976378b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
874964609bf122c20dda7611120d806e

SHA1
9cdfb9da25870ac1b17630a0e8136c8b3abe8811

SHA256
5b1756cc9171d480ae586351fd44afcd57de00b3aa0835c334f24981dc6624e7

SHA512
b48ece5819d3c0c8c9b6ec6f909baf4cf69a1631d53215147a9ee540917a2610a5d2ba8ae9dda677228ec0b82196f507f7b6411d6203c3d5cdb2195e07e7df0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e457fef1c6f2ec4ad8301f22c046fa6e

SHA1
e0f586ee8db133336614720ea23585c0b6b13017

SHA256
6d6634b3cd4f57baf807772f1d860145344e35daf31b055dc3a43d4febc80c99

SHA512
6c3c892e152abc9709ac786854fe6a4501ae6220d893d88694455434b06e463543c4ed498ec9bab964f8f7c4eb5a5d209c2a0eb65fb99f35c36442fa2ad992bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef94403d10be40d0a09de81fc1c7c410

SHA1
13c05c19b03225b27140780c0b5fe129d6079134

SHA256
60d622f2dcc28f3b185692f02298c74e0202a79f956b111eb88005d02d44ce86

SHA512
c0853bc44851a756e88336d02d1e06e86e6be585fbe33cbd0b1db528a722c89f378c414b34a6a4865e9cead74dc9e84e72380afcd688acdee48597ae01dc2160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5e26adbe7cd230d522d1278ee48a2983

SHA1
b2b7ec548dfcedfd65ff29fcd4b7fc774c27caee

SHA256
b09298f22fd0e4f1c98c33117ed8d334c12f7e865e961a989b8c886550fbb391

SHA512
1ce4b36febf5b5a13f3be5a03b02a80be608ea847bb20aeb063ed21cba683c2e77fa7ed55ee2a4b4581fdef3e9e6fb28685f3bbdf8e993d1f7be60cf79cb4542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5c1e6d1f03a0fbcc17a847e99aeff355

SHA1
7389dbf888d091604060a73c6500c1e136293532

SHA256
f83941fc650f1a17dc92bdd6900979fca809cbaec979f70c6647f55c706a1640

SHA512
8c40774fed8c74faed274f6e7eba2f5f2972e29aa68bac4da8227fe60f3217a20baccbb2d64d133a7dc9652d64839d72bcd92ceb33992f5b7da511d39fd6bda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
be46b326f7dd75fc5aeb79b38f97dfcb

SHA1
1eebb56330fa2be299615d5d520c559f8a8384eb

SHA256
2c4be4996665575bdd7e7790a6f1cfddbb91fb181323d6c327c2121d92ce93d0

SHA512
641ad69264f384e5406ea512bba376f7482adc697473761db31197bcf260f2c19b1caf79fbc354add780178c7c74df5ee19e8affbbc4c378c5c16a5af5a0ced9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7a7ff88f5c53e46c3d25f2c2ce64b7ab

SHA1
021627662c710d7001b3d4248cc8cf230a2c0d58

SHA256
7cc5ff1538a4b6cf9843fbbddc6ad0d9c5f8a097c7d8518abba9e2b68e825fb6

SHA512
d617c39d986e971c5c209a4573a198842f312ee6a7a36095a134f79418c579df1df8632c47185c7a12f6e7cf81441414fc07837f2999816269ef9382f5416fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
d2c3f5116413133bab16a497c9d7b38e

SHA1
ab32f97a11fb8e716bca91b1bd71c4247afb2c76

SHA256
6583263ec77d5b540be7c34d7c381afdb35a207d1e85f8a3c07c8fee834c3d3e

SHA512
f80553f935c7e139d84e08c09ab90b7db71a83eb22e8bd8d9df877f14b4332962776042966404a77526d04d4a3978b259f444257aacf0a8e2dd5048dc5237ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cc05.TMP

Filesize
370B

MD5
0fd17b6d020b1c2e87c58a2f4df9c978

SHA1
11a2bdca6caf4a67f73c6f6b67dc95e0d6b77a4c

SHA256
171cde9ece8216e1cb0c7bb00d06b2d9be1e3cbb53044fcc5945a8ed77051f1b

SHA512
798ffc335540adf6888d18e75fbda03512ee8d3890a00d177644c5bb68732e8a2a3d14f943758150ea3d33181effda70066d3943b33ee53c6540822dc074df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
48334c3d09ad89dd46157be606e209e1

SHA1
38934db3137a61d91f327360914c3251f5a06e3b

SHA256
b22840aba6cc55c369a0258dec8cd45a5ef3cca1d3c63929a9f9b8fc53d6e311

SHA512
ef6c5673d655d711fc43edb67cb14f925921633be2e6b853124590d347b86d6e5f684562c78454b26e5f7383efb38730316556b4bffb176621b1a30a8ca6f56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e6b18002005c255d22b96a3b61744c3

SHA1
37552e38cef42e8958c08f81f37789dd0e679d6c

SHA256
c78fa2e09ae407bf3a3d1a01f8499150bc3e674bc4bf613f16d78d2cf39b0dc5

SHA512
1968cfb4ac82546e20eef12a32ab0fecf78df2af26548216b355de5f0492819515775f2d211e66926148bde9a4ea597cc1459765f76c8dfac39b9b86116cbfc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4e8224dfc0192016c03756c3f6a3e69

SHA1
2b5b39b3179c71ebf68a0531b6513421be30b1bf

SHA256
55712c2f6e000cddd0539adfd7844412479534b61147403df06216142afe5a2a

SHA512
6562bfe069019f97682c83a61fd0948b1d0f615116adca554b84b8136a93cc38d3366cf5c6499274ec9a820d33e0473d2011601fad6d221044395f87019ef92d

Download Submit
C:\Users\Admin\Downloads\cat-blue-eyes.jpg:Zone.Identifier

Filesize
123B

MD5
75fb4ad145331b3459b27fcdfc7e4dd2

SHA1
cc37045d978c0c8cc179d3fefa0bd3faf8effa3c

SHA256
241fa2e7f5d19219c6ab4e560f546257d29a56ed061c95633a6e6e3106717853

SHA512
aad2236a20b9c745e41d9e5d4027a90f995a5bb5593209e415f673c16c4fd852742e7b1d800eb2c16b8954108bd9498a93ba4304fab254464efa265bd9c48a72

Download Submit
C:\Users\Admin\Downloads\cat-ceiling.jpg:Zone.Identifier

Filesize
121B

MD5
e021d670cd8b924e08b2c9c07db0eae6

SHA1
d4ccb33b0381fc080575a9e84b6e59ce1de2b5db

SHA256
a971a71157f0051a20ebd9f79e8991ec1da42a9ca3ff3e0819782ddc7b3ab60f

SHA512
8a9475ea7e901f80cc21933a375ebb57ad38519c2ac24ec302ab9f8d6e4301cfd70511f63a2a8e35a3da5a857be14556aee082c4e8a0fefb620201cfb924ccd4

Download Submit
C:\Windows\8CDE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2684-14-0x0000000002B60000-0x0000000002BC8000-memory.dmp

Filesize
416KB

Download
memory/2684-11-0x0000000002B60000-0x0000000002BC8000-memory.dmp

Filesize
416KB

Download
memory/2684-3-0x0000000002B60000-0x0000000002BC8000-memory.dmp

Filesize
416KB

Download