badrabbit | hxxp://GitHub[.]com

Analysis

max time kernel
198s
max time network
222s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05-04-2024 13:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://GitHub.com

Score

10^/10

badrabbit mimikatz evasion ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\1236.tmp	mimikatz

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

1236.tmp

pid process

2440 1236.tmp
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2744 rundll32.exe
4768 rundll32.exe

pid	process
2440	1236.tmp

pid	process
2744	rundll32.exe
4768	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\Y:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

34 camo.githubusercontent.com
39 raw.githubusercontent.com
42 raw.githubusercontent.com
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Control Panel\Desktop\Wallpaper 000.exe

flow	ioc
34	camo.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Windows directory 7 IoCs

Processes:

Endermanch@BadRabbit.exerundll32.exeEndermanch@BadRabbit.exerundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\1236.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Endermanch@BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2052 schtasks.exe
1640 schtasks.exe

pid	process
2052	schtasks.exe
1640	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2280 taskkill.exe
4592 taskkill.exe

pid	process
2280	taskkill.exe
4592	taskkill.exe

Modifies registry class 9 IoCs

Processes:

firefox.exe000.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{3D2FD6B9-62FE-41EC-8A97-C6B3FF55EAE8}	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{A3635802-867B-43FC-8C51-B9D10F31C75E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{06D77008-3B95-4D53-A08C-E930B4F4092B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exerundll32.exe1236.tmprundll32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
4712	msedge.exe
4712	msedge.exe
3108	msedge.exe
3108	msedge.exe
4768	msedge.exe
4768	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
1852	msedge.exe
1852	msedge.exe
4784	msedge.exe
4784	msedge.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2440	1236.tmp
2440	1236.tmp
2440	1236.tmp
2440	1236.tmp
2440	1236.tmp
2440	1236.tmp
2440	1236.tmp
4768	rundll32.exe
4768	rundll32.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4552	msedge.exe
4552	msedge.exe
4520	msedge.exe
4520	msedge.exe
1516	identity_helper.exe
1516	identity_helper.exe
1332	msedge.exe
1332	msedge.exe
4500	msedge.exe
4500	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exemsedge.exe

pid	process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exe1236.tmprundll32.exefirefox.exetaskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2744	rundll32.exe
Token: SeDebugPrivilege	2744	rundll32.exe
Token: SeTcbPrivilege	2744	rundll32.exe
Token: SeDebugPrivilege	2440	1236.tmp
Token: SeShutdownPrivilege	4768	rundll32.exe
Token: SeDebugPrivilege	4768	rundll32.exe
Token: SeTcbPrivilege	4768	rundll32.exe
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	4720	firefox.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeShutdownPrivilege	2324	000.exe
Token: SeCreatePagefilePrivilege	2324	000.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe
Token: SeShutdownPrivilege	2324	000.exe
Token: SeCreatePagefilePrivilege	2324	000.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

msedge.exefirefox.exemsedge.exe

pid	process
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
4720	firefox.exe
4720	firefox.exe
4720	firefox.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe
4520	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MiniSearchHost.exefirefox.exe000.exe

pid process

1832 MiniSearchHost.exe
4720 firefox.exe
2324 000.exe
2324 000.exe

pid	process
1832	MiniSearchHost.exe
4720	firefox.exe
2324	000.exe
2324	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3108 wrote to memory of 480	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 480	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 1992	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 4712	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 4712	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe
PID 3108 wrote to memory of 764	3108	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://GitHub.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3b8f3cb8,0x7ffc3b8f3cc8,0x7ffc3b8f3cd8
2⤵
PID:480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1744 /prefetch:2
2⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
2⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
2⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5716 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
2⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,16489221459422176791,8950464487358537675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6380 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3b8f3cb8,0x7ffc3b8f3cc8,0x7ffc3b8f3cd8
2⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\Endermanch@BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:4544

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
PID:3564

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 397688748 && exit"
3⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 397688748 && exit"
4⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:29:00
3⤵
PID:4960

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:29:00
4⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\1236.tmp
"C:\Windows\1236.tmp" \\.\pipe\{A35C8721-B2BE-4A72-881B-A39DC59ACFF3}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\cmd.exe
/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
3⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN drogon
3⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\Endermanch@BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\Endermanch@BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:4632

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.0.1484169160\2015475143" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0832a05b-da19-419e-9a47-37afbc92dd65} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 1872 1befe4f6758 gpu
3⤵
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.1.1337205182\1756885730" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d3f209b-a286-4a02-a523-0f2aacbe0ab7} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 2248 1befe3fbd58 socket
3⤵
- Checks processor information in registry
PID:2052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.2.1775483538\1092938360" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3108 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e9b4a7-f5f2-4da2-9793-a77b030affee} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 2876 1be83792e58 tab
3⤵
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.3.1950517421\1505889730" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b2a393-5e93-41c8-8e82-474aa6effae9} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 3464 1be846cb058 tab
3⤵
PID:4832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.4.1534446796\923031913" -childID 3 -isForBrowser -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {539e575e-0f0f-4388-8fcc-cc6d7d262581} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 4568 1be8577f258 tab
3⤵
PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.5.1529570897\1514831136" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4952 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7f41fba-f8f1-4c37-973f-7d9ad196fccf} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 4928 1be83d9df58 tab
3⤵
PID:2448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.6.724985712\1103792632" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 4996 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f6fc2ed-eda1-4e65-a064-08e3911cfa18} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 5104 1be859ea158 tab
3⤵
PID:1488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4720.7.292282378\193916973" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {229c02c1-ad8e-41a1-9314-f9f9d57b6d54} 4720 "\\.\pipe\gecko-crash-server-pipe.4720" 5304 1be859e9558 tab
3⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3b8f3cb8,0x7ffc3b8f3cc8,0x7ffc3b8f3cd8
2⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
2⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
2⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4924 /prefetch:8
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
2⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17019042322998452504,11806408426149124730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\000.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
PID:1432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:4292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d5055 /state1:0x41c64e6d
1⤵
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8060d60e9eec4992ebd0aaeee8f18ea2

SHA1
db166857ca87fc6ac85374871590bb7577abf577

SHA256
77726dbec0c51ab00214a3b06ad4d48133ce36a8ff82f9793d2228fb39274d7b

SHA512
02902e9d099c32d672c932c5a09deb4e2634146ea52bc2eb4e879218ca79838591179bf88335874bbd2db077135904fd4dfc4b469038697db78f67e974b7a333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
44KB

MD5
3e076e0639911aaadebe00ad545100ec

SHA1
c5b9906dc4913c0b658b6a45d296051341a70e07

SHA256
ba25f836f0341c09d1cea50fe300c1fcadbae6394cb3e5a5c10d29ce5c424c5a

SHA512
583671f2d0b27a93e85eecb1809b4f259800da230c9393ae1d32d8580a5274c72a10292220f96acf2ed2709d4e491a23bc19a70fbdb61364cd927e44aa281778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
49KB

MD5
e1f8c1a199ca38a7811716335fb94d43

SHA1
e35ea248cba54eb9830c06268004848400461164

SHA256
78f0f79cdd0e79a9fba9b367697255425b78da4364dc522bc59a3ce65fe95a6c

SHA512
12310f32ee77701c1e3491325a843d938c792f42bfdbbc599fe4b2f6703f5fe6588fbcd58a6a2d519050fc9ef53619e2e35dfadcbda4b218df8a912a59a5381a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
24KB

MD5
558da5b3e2f81d9690a1addbc729dd6d

SHA1
b2908e4ffdef06a86aa904747f16d23e3ac65bf7

SHA256
a57bf14bdf50d4d34dd6d0845e8de7f0525e242e1f8ead56f31ad0f3365eb81a

SHA512
85207b9b69db58ce64971eb1f002405dd5176cab69dc142c622faa0ab28618ddd1d6628b445389842cf1fa6a8d22319ac5783824f007020f56c216ebed399ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
35KB

MD5
de2247e900d4855eae21f9e31cebb243

SHA1
0a97754df1230f2783eadeca32d339a3cd63abd4

SHA256
4a3e99ffc912a23a3e04f16143a924d2271c5623331f37de27756b2488e13ae8

SHA512
54c8f09db2f019c6d9ea1206ed66a661e4ed7d2218d9a886265cd2f22782f4a21e4147b8f1edeaf37155c4b36a650666b7de029c8e5aca5ae5af0c14ecde7706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
1.1MB

MD5
93feab00f76536d681c1b77eca2c7caf

SHA1
c48cbe893b3178a56357c132cae2fa63918d790f

SHA256
5da61564d6ae3fa4506522460d177f8b642b20bae63f81cee14b9ca71fd49226

SHA512
6276f945f1008c70bdc559a8d6a14c609a033af2fae6bd80c129da546e7df6cfb3fcdcc452508df8ee5be7a0a87a6f9930664b8b9726c4e52877802a9ceca5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c
Filesize
22KB

MD5
f650e6b6cae5279e4c89126960b6b090

SHA1
9f79318b36cc53712c3e7e0cf6e9ef91f62811e9

SHA256
86781350321e19d398b5a3760fd4c0af43764862c8c37e319b8b743f15c559c0

SHA512
eff8025498be7773e063c43137946382c408cb886272ac4c9f8cdc6b2447b8e4d4c559351bcec842b7436b3d7be96c51da967637c8e99ed48822876ded0cb2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
e10c60efd9c90f68029ec86e7eff7dac

SHA1
ef3fa093213fabe3d8da0626c34c2cde24f390fa

SHA256
f351b6288b77fc569c163df418b6b3c93f769c55090f822c74183cfd8a2ff721

SHA512
fb73dada00481e3a5705416212ee6bd0251784e2b85f9f3615cad9602f17d9ada07a3dac03e325afc9315f32d5e73426974128bf74d5db80a6be370079dc57dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
f81c82e3e041f2697d87529aee300b53

SHA1
c05d0a4eabb21f0ee9b66ec0523ce04fe233e788

SHA256
d73d725a35057e3ffcfae628399c34cfc469e15c093f642cdb981e61d4f89972

SHA512
e8a0d67759da36aa9e1dab170ba9e6dc9b70982a365155f0dca8f0e39e4b59809b298696d5a19bca3aeb7b2245f9eaca2a499007d7d32fabc117dd2e70c43818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
b6813a5231b40e23529498b9cf3b24c9

SHA1
c1ea7afdfca13c2df961004d5ef5c39a0a4dd7f7

SHA256
d41fb0d923c742995c297a032eac58402707b91d644acfd3f238504e2a5c587c

SHA512
826eef76bf2d0a262abfe89e89c049a8555f325e84cf202d940af4653e6def6ad4b22614cccf8244cc516eb63dfd28cc35c2ab45c7d98ff8e41498b8430c1d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
28KB

MD5
b8936e0cd4dd662c23ebb7d43569f568

SHA1
738eb10d8b32aec436f602fee9633a8136dfe698

SHA256
8ac5251bdac83917e19660bb81b80ed8c8449ed63f7fd5cc0e6efc081166ea1e

SHA512
599a0e0739af0b041d218aeb4e0ace0c5cbd33c8cae1154223c4916e606a1e20fdad86c48acdd3671c527d703f6aff80688ee54a0f240d7d645e8ab1c9a9335b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
b29497fcaf6904e46200beb82d44cdeb

SHA1
2ef7eb4e73c1a057872f07953393eac093ba2d95

SHA256
d8eac80fc39f12932b6f7f4669b10bd23a97e92bb895c5e63fda9f461a76f2cf

SHA512
a981147cf9c76ed440229874eb49dc458a0b8f0f3971534eb62cb67894a6e22c7b1d9d1d1dd13f87cfd9b555abbd2195b13c649cf276d61020339711feb0eaf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
116KB

MD5
ad567edf0f13569c0062fce3de5987c4

SHA1
2ad46a60284d6697c212f89c218a773ab69a9998

SHA256
557b593307232d41734700a16607849df541b6651335941f8d7df03f9a1912c7

SHA512
111e3a10fb5431bf4700147501e06a6cc2fb0f5d52221b2c5e5c99d78a437987ce7b2b623bc77f2906a9473f143a64645e8f731c2e96410011786430b04d9f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6KB

MD5
f72b4960c5051267091fa1b4faf9fe98

SHA1
94d16919b868946a6b775ea96775a89855714536

SHA256
c75bd4a2537ee546836430e09b4bde9d03080711d1264ea9a56bce08267a4561

SHA512
5bec9a5e1d6513832a3471df107059257e31020890aa4334a97affd4813827cbdc7239544c718398208d54e41f12daaf241c8fff62ec05486c09c538e5a29f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
c3fdbb23dcc01c623dd4a017fae5b603

SHA1
6691fac28a6bd991571affd320d3a2bd94bcae9e

SHA256
451335bdd22f1b38b16bb508842627ca85b87d78a4b8d72581b33cf725fca013

SHA512
af0389baa0fe52fa6f3171ac97cc7cc8d9eccc427ef6ba2aa2d0d9a8ad5e6df5100103c138f6333fbf87c8730311cb6358529f5d7def95e24cee532f5e408362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1010B

MD5
6be1cfae145616519c6b0435c5916d1c

SHA1
040bf4f978cda318fd33b47177d2e2d2ea0e6057

SHA256
ef3b3964dc2f7e3b7df144911e8f2590f72e7738314238c748c67aefc93dbaf2

SHA512
6e75f346ca1af0bb68d06499f4be229aa236703268e57bc843d730449cb568f8fbb5e02c556115bc63627422fa8ba357c088300f51fd871dfdeded6c418710fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1010B

MD5
cc29bfd04276cc5c61730eb65a0d40e0

SHA1
d438930d7f22575fdb913d68e6a602125a8cc31d

SHA256
4581052901965cfccba11d5c3aff375a68f6d863854867e015c91899b3302f82

SHA512
048d5340ad0ccd4fcde67336f604cc79f456f9c5254c2f3693c9e0caf1023e9036321e0e58b4a643a8394b219199efbd924e7662f5a6d1981d50834febbaf662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
248749e5f4b0951ac57b314a2b574ce3

SHA1
58b7399663a1b79fa5be9df575fb4f832cfbf52d

SHA256
6539dbc6e12350a6873be59b7a03a9b48137936bfc7a1bc96da8c1e43d4c24ed

SHA512
dfbe05a04fd4ebd573ffeb88d1f7f172064f859ee70cda5d97af5f19beb08917ce2fa1b5fd347621b11c625914b647f0afc226e2cf39e8e2f3591bb519b6b610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c942b234afff3ba5feadab66d7c22c8f

SHA1
8a3f3e21521e22ba60dab28a8643c232f71c8202

SHA256
20bebd3c9f7c715482b4a21904a7b77dd5c5d1317fa8154e9f18ded28c424c1d

SHA512
36b058a2e445e8c260046fb1af23f6ee7ed1011bc8c9ac3e5bb4c1f6b649ce061bdd3d423f84f96f8a14957aa84e29255f10693b33cdd2cb062de5e72d4c64c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8921bc2ca7b53a2b0d2b89eab966eedb

SHA1
031b74c2d3be1bd2e8cd3ff306caaecf722bcb37

SHA256
82e6f030550f09ebfecda03d168f9893481c291ab1f2aa0e07ef86bbac15379d

SHA512
c155143379f8574fa6f16e02765e1130be1ab3d7f56208c3ec6460966f05ab438678313010d2ec3965884081a17a24d3bd9a29c60279260a941c37e27dcf0396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2661e10d2f9236bd6dba4f27b1e89000

SHA1
2d44134bb027ebf2ff34f37c0256fb3f181e5ed4

SHA256
f2b66f383f14423c011d4359eeefca3c74417a7f14410e3a2dde604cf68ecfe0

SHA512
d89b02164409b5f9e624befb82b92e6ecea578cf09129520d5c208fbf104b5190afaff91a88351ceaa1681b196a9d59f13801f71c1bd56cf4cd3f7f2ec9465de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1d95d6f61a46b1ec0cb01c76ae37da5d

SHA1
e6c91fb69548600acf32df650af6fd30fd9c5317

SHA256
3386d6b34d523a4b9ac76050467591ee924f90291ab9c69e63dbb2f9703ee2e6

SHA512
2f86a330a5b9feacd4ad8a8811105db6d75c09329fa342ad881682badcde9f65f0caabd8a2ca7dd1dd1824c010213cf9384d15fcfedb0f4db3e2494d557cf541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ff822057468bc4a29345bc1d303f8e9d

SHA1
0d8f14aefd69699ec07c10f4e178ad6a845de536

SHA256
f75c9847a148fea7e326ebd95a519019ebe1a042f8080fcd53ea51a9ec5d9705

SHA512
fd574470eaa60b19eaa1e08d8df95caa3a18161aad282a675fb568acd657857333fc2512e451754c49dfbb06dd9a7519e2a9500e8b9c1cca26727a8d80634ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
898a22474ad2cce9ea4d9c89c426ffce

SHA1
aea80aec15a30bc53cb352b8e2b836e706d171c9

SHA256
d051093704134f1f1440a01e051218c59fd5364f40d749b44f16407fb211de11

SHA512
d9eaece1fd2c3a2d582ac2134dd2b3b6f4b6d2cb6a9bb55d3cc52c49d7c49264440d3170699fb48d52526a5a8a6692c5fa9d1b4c0f659f8e541a2a95783998f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5aea421c08abfe13af8a2f46f661cf73

SHA1
62617671bba2fc88fea1ab1a9e12ccac0262c124

SHA256
0174e2d78ec1b815fe66d97e986698b3055a255694a6a61980f12847e080782b

SHA512
f9f4dc16ba710928972dfe4b530e6a909efb4c4f9254d08a8797b1c9dcbdebedda34f912bfcfd5c34c9007d7669a5410770f159c5d3de7230d85eac497ffb1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b6ffd7c354d78c0faca0f9876c257323

SHA1
6203d61b79d5a5608aa69abb356efcd85d6a20d2

SHA256
ae47bf68a2799586d593f58d3d2645b9090afe8e2e6846b7f358df89ed6b72b5

SHA512
dafcff37891db64f335ec97478183a2f3a8cf98feb6a60fddd5a96eff28576846d728f251f83c4ecb6ce95d58d6e0be60d7d26cdfaec9fe78e7a022f3fcc6511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
480B

MD5
9c921af404f1f0897d30953e1cc1bf19

SHA1
67be1b1e5d09655f06b06202f458924e2d9b26df

SHA256
4d9b3961daf260cc9154d8dfab9abd97c052582fcb91f691bb5c82c7299af3fe

SHA512
a2d745cb9a96da613814c74f335fb25fdb146230a26f33ede465024d34c1e0200fcb2ca33f74303cf1efb5b8e3bf1051c389a00d74cb8ae5e7c75c3fd223ece0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13356796175312369
Filesize
23KB

MD5
7bc109d3f200890a36021122e582878d

SHA1
8560af56c1899be67f2174f80bc5a90e95b4af65

SHA256
b11e90913ab278bb565e6c5fee6673d4de7c9b9ef97c7d0dc470fd77cbfd5c35

SHA512
7f61d9cd5fe658779a03020783c4bc7d4a94a9f02259c39f22974efe309d114ad9492bf36809a0ee6755a1fea46fc9b7f0d9801d1746cf3becefa28e46d06e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
184B

MD5
bdb646c560c11f9d1edbd4909ca10ead

SHA1
dccf45e55b737c676e09c3c75be733c597f29d6b

SHA256
485f4bc48f22dec36884babac2a667c0ad6d2789ddacc7d39d52c7cc43c882d6

SHA512
68634d12d1dc038dd95be58cbf647aaed3f763c97a35f3f11f935fdac89d87575e46f3120332cd3c4bb8d6bbec4bc2266e432a193e5b0e08eae60c0b93e398d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
05f76975c514c44ecd6948fcac93c572

SHA1
4c678a60e607970f47a52b70ac48f9fe86d2d1dd

SHA256
02c8a0646178d03cdfc0f2569d12fd7ab7feea685e6128b86bb231fea41b231f

SHA512
a1a9e6c44b76c5114712e14e12c05cc0cac2f957e7aca230a04dcad77b1fcb232d9e638a17c36ce42d59c020745200ed2e01b130964e2419477c4635bd7dee8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
9d975834c4b17c331899c2b3525c2add

SHA1
806f6dc779d04feef2909df17abcc5501d7911b2

SHA256
ea95e918555295046b10b8ed8143d24fcfdc9df2b74e18f38e48557f194082de

SHA512
ef15bfb328ef03042828539ddb247c11839873b073d3978f5b644498c78d8badb58b325e8f6844186ad0bf50ff33584e3754395c224e47a9cf3d0d298f087e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9b50fc2bfade513b63753423acdcd4cf

SHA1
3fcc3e10bd1b7421cd18d0b2c290b2ebd3c932fb

SHA256
b55b3b4c200c5340ee7be411bde84319fcec50ca4b9030308491a010e6ec0c77

SHA512
28cec4a305748040b5cc6dd1b503d0fe6ec5e1cf7c32791c73f08df4046d188b2a7cc1808d34aea8038f1b2476b08e9dec29f2d521b82e849fd6f4d64e0fe0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d49a239a5b23ab579a2afe70267faf02

SHA1
4916e2a3c2d13b9dbf34092a73ac8df3e7627bb1

SHA256
ae1e23617965ee0fac637104e39e1d79d5d3121b6843aa870d5a49c6fd0156bc

SHA512
c61b3c1e45b25325c60b7112ad19c5628649d8efc906e208f90ddd44d27408d55a7ea0ad5a5ba56e213c4643af34611e53c2aad77e8daad64f308e4be446062d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
35302840d9435e1f5a23a2aaf33b0aa5

SHA1
e3e1053f56d3dd008069a6722a1935f67187ca53

SHA256
5283fa98ae17ba4ca2f0d04d9541cf51345b7437a62a489300d6e05a2a81bdb9

SHA512
b4b30855659ffbd460e8c7037a5473b9c2953290a9f8da89c4f666a7bae74a04131a7f2079bc52f3519e90c49e87cfa0d50d2fdea1f3d208e57862bc3a70bae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2c69e17814fd785725267d14703ec55a

SHA1
232fb6d675c9eca321f1dc47d40dace35edc51e5

SHA256
aeaf1847e00aaaa334af71c24c22835ecbd43c037bd89938d301ac7db8fcaaf1

SHA512
1238b7827ee5dfbd2680c36e615ad5650b954f77b5ee45416d54f7bac8fc5ba6d9de4d3b77a09440e35c2cf2954f169ab07f82aa62214094e9a275e3eec78c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4d4821c98053f9ca4099cd86296ef75e

SHA1
6551d0fb92232335e9e45f77679db1161a97a6a0

SHA256
4d41cf5545d8524bcd2d6282bcd1c3df0b13e76c3fc2959e32a2414198cca4bf

SHA512
edc4ffc0ccaa5ad796f2b0b4d7b6e5090b4c099d3faa7b30726d9fed95c7e001ce15f62b3cfabf02e3be864b1a0b5787e520d8db8e54e9fd54281dd0d19fd4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5ba6e05ad72db7c84b9f75c81e16caac

SHA1
837461df7ac0a5566e063c75ac5e0c95c7f97eee

SHA256
37e662f317a59064473dbcf5f12bc3046689b72eaf67887b9c51d213989f66c6

SHA512
717d54e3a071f1ebebbb99387d11779ce74399a3f12a569cb89246941b7dd65195892819240127ac18fd081147533f25aef1562b514fbc1dea7b88822192bb93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ff0efd180c83bb6d01c275f1c4ed6da2

SHA1
cf717d4f8778f9814b598f13172631e64e53bbd6

SHA256
a3c8decdd9d572accb2e23d518df07e3372da2fe76413d7231b854e13ba9c969

SHA512
e61ec3a351c635cfd291a0176d687ad57a8e202d0e9921da437954dab7c1b97757963d12de4b5cbb93bd6380e065cd9a22f5946acfa4edcdc83eabf0d3e5950d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
19b9fe53b307e0ad80c60883be5f7a73

SHA1
2d58fb2df8a72f23f49cfc2e723610452ef14779

SHA256
e43e2bd5ac0423dadab59232890530534954043f322278f7a9c9483089b56385

SHA512
792d325a48b4c28d14e5dcdf7dd5c2b16e0cf13106d2c1700ec94417149178f201f1216eb6b52762fa4bbe131cc80303ac18650def02e099e2fd41735d2a247f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4b85d8fa61550bfaa06e678f9c809119

SHA1
9997f5a7f2806f68bc350474c94037c0634c7e2e

SHA256
fa442a15c32f07923bd3908baa1f94939fd2542d472092b2e7e330207de98342

SHA512
54312defe0331e99f4f2a21066c707eab5bbc63cd7c1632f1e43fb69d781bb8ec5cdacc1e6eddcc70b706a9b6fdea68c41d63b7ee1e06cb8b2eab7c6d3593209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7846f06002cd992c6c3546c473ffe3d0

SHA1
67fecca22860d6707f90c08382f0cf5e26efbd9e

SHA256
d279e77d542fafa6ec9ca03ced4d494dfe0b75e88cfac5c467b3f30e4c88b211

SHA512
98920f04bb539417d73938d2442c94e4a544d70b3d02d9aa01b1822a56dbb46bab14edcb89acdc46788e2fa695577eff2fdca77bc01bfd00f792285c31ff4cf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d188.TMP
Filesize
703B

MD5
145f13ab0f9e367cddd7735acba5903c

SHA1
84caec6654d9b570b4ed758d9dce995ba0dc6967

SHA256
0f17f2dd22404f9289442744bd4b44689042c8eb2a74480bae8d142dc23718cd

SHA512
fd439ef2476f58c94142ac5eb40e7a024f5b09d1742e073673c306b367d84239262f23ce811a68e826e2c3d59f4b5c76631726f63ff65251577996c234b7cb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
081d3581fdaa30331764cad8f86fa75e

SHA1
e7820ec2a8de2fa2851a0f1b0569d56972a98473

SHA256
e98cb3cb8fefb08298689afbb761b7c51493151d72725f19c556a521083a6a01

SHA512
267974c80909ee9231f4f5ee2e97104d26103f3028f9321497a3de294fd2e1cf65357a5de0b8598811785b332152226ac1c0cc7b144eabab447efcca91b34021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
112KB

MD5
106cc3859b47c45cb29f189dea73a4f9

SHA1
6edd7563b57a3b318221313446ca62ca21b14776

SHA256
24260a7c442ca428b978099bca1d9e29675966852d4c06cffce6e3adf747c667

SHA512
d6711d7536cd8fc5b4d9dc6cbf9b02e82da5a6247229b36b81f1bfbcf06597200291a677ebd7d67778fa680564166c35bf2dbe20b523aeb1b9ff7b4a3874646b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
92KB

MD5
2a73c2aed44882b7ef20bbddc9bcdb84

SHA1
1cba382fc1fb3c6a2b4872a373171d0c6ecf780d

SHA256
2ae402158ee4038d6db95ea7948a8fc2a0af7a94311d4addc7b7423bf3e5d855

SHA512
ed720ba4e3b6a1a6b744ffd0a7bb0dd610e47eeee31a489cebec6bde251ce0cbe7d0280a0c80344b371025c39f51c614f84b091308ac4818fb55c4bc85551d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
2KB

MD5
d0246f49ba0713221bb87b0fb398960a

SHA1
2071c0992539510c2a63876b2b75848856f1850d

SHA256
ba63551fd268022382541f343fa1b9989b957cca70999b433ce9599ca598077e

SHA512
91d0557ce0eaf28d8d5fc0cb9becac5532b0c6fcff56783080f875f05a7b1354e5e32ed0c8616261bfc92f3a8f4cb21f2b2f5ad8aa75d25e0f161726eb162ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
953c045dbc6177c3cd193c7838fd6ffe

SHA1
4aab690cdae43945e193ed83c2a79235c2c99ab1

SHA256
6dad8c458ce4f56f3b5e2b473151533884d2f25b233f2827a3a37c1efae78fe0

SHA512
c87f09028b2a53ee12ba3a17b733811f74020965ae3dca6efc2d4cae2a2c00b2a0ca79c22ba5f75c1330c5a6c9c1942afe04c65aba662970deea15fc63a44229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
9911251f20ccc8f12d5a02cb21e49ef7

SHA1
41d43e7e934f244fe6a9b4f368cb3fff83bf1dc5

SHA256
eb17bcc9f3ee590b779176c79fca5d3cfd3a22d364b6ac005ce1f995d39a02a7

SHA512
954c4cb19d5a4edf2d81966d1aae4d5fbb3f33f958ee315fd9f80b89d0e162335c085f85bc3383717f2bbdef37979a7d0a15f3106d105e8acb0c43a523d54396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
afef43205391f0770c0176c085ed2ba2

SHA1
be401fe3256149cc873c23bc5285c24011461711

SHA256
c39f59bd6ace284aa59165be7b4c73fec50fe01d750ebce5edec0b8d1be8be09

SHA512
11def837ade3c5b13167f781a48bde41f821d416cd5eca93afbcc2238762f698c45e3c1410c33981322bba55c2543272773f59450dc93a05cc6fd8b419a7dc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9aa9c7089a8ee725f53a92b2973d52e2

SHA1
3fefa1155804834bc8ff68487ebf0d5217e60cec

SHA256
9ff42b29d8e2a5bc73dd8a338646e2d2cf4a0d510b48409bdcfe4f531f975beb

SHA512
d6aa76d92fa07a6ba8ec618deba189361902eb9a5b848f159bcd76737d8b3b52d4998e62b63cc09599879cd4f6febc142b3a42189046f19d380bd9d57475c890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3c88dae817f919663afb118d1afbe3bc

SHA1
bf8a4f69a5daf1762dddeaac008ca73cb37bce3a

SHA256
0f65e25ed94eb2c2f81f22373993dac2e3adc887b7f39ea29827f1f83fe8d797

SHA512
3ae760c28ac7ebdd8c3fd81f9920cae069a33f886e1c86b5bef7723fd61a69b3784f14bd6c00f402400379bb21900fbd571f5cbb3d2d88f84f93124b2b389bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ce31fcf838c521ae1fb14aef3f01ea19

SHA1
20a4bb03947d2f90b148ec3240687b1a585422af

SHA256
d6d7d9855dce9210cc13d08384fd9a34ec24a4e446403dc70738fca68e54ca98

SHA512
aca37659a1fe73187642e8b6bbf87aa3ac60c6a418d2cd22f1ee7c50c3be24288859a5f950615696e834ffdcf6bcd5438325f5be72c47aca5b2a552b9b44c483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9e3da29d3a9239a648c4149c9742a34d

SHA1
ed4a644e81adf0889777ae0177cb096974f41b53

SHA256
0a97f9c367ef888d5cc10c86f53e3e47f99ce31e2b19d642ebf2a5a43e837f0c

SHA512
f66743d9e41614005dece69a7227b24c428d1dabb1a36c61de9159105cbb3a86b20aad2ab7e852e7e8713ba950fb7dc21f57838a782f907047aa43f36e91e2fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
7503f1e7f5e999ea7c99de71ec136ba8

SHA1
9b29b3806c3644d9121ad939154bf3a823cd723f

SHA256
c71d8969c192276748083fa0147bcf307832fe58fa4ee0438fe6adbfb6528671

SHA512
e8a6f1ec5a750928b3d1ad2269ca5e3eaae47fbe93f1a70510d9ff75dff9fc104cb1697e4fc6dcb06535fe4b2f4b3ec0d2f30f0ea1e656171f43c0f3996805af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
384KB

MD5
4a26685605524f8842727f5387fe4c29

SHA1
f4cb9e43a40ad05b8829e383fc3895bab754d950

SHA256
87415a5a40d1fe0503b7533d93cfa057a18517e3614c26a92cf7030726a0937a

SHA512
a9f2b1a553449795edbf090007d360df1bccbe0040c06d799e06dec2fcd5e8a3d76e263124cd955b30e35a8f4dbf44638cc3188c0a0cf2ce2b9fa5529496fad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.2\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4
Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
ff7744be4244b04113eda1be9388bd91

SHA1
e306092037e03c7398c7be00a6690338b433a330

SHA256
8f9adb82606448b848563aef48cb7aa7bda84c897a81750de279aed0eed36b5e

SHA512
a0be82a5cd2e40402647d3ccd508b5b4f18b903c7f835987bd1a55d81e8ef92b0e77ee15ec0cb5ae386589a5c4adca87b85d9fb924d213403e0b89d63dbef4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\98b87f3c-78d7-4a8e-95b8-71e664da9d85
Filesize
746B

MD5
1eb64ce480df176e99f78ac29cc5125c

SHA1
838d755ee70ff32b9074b6622cb88239705cf00b

SHA256
68cc7c0bb6cf381650eae6b38bc41393d7f4fb83cc7f97ab42f843c8cbc61532

SHA512
66c0167eada36ddcfce2a66435180cfabc42f6be59a09e56829f4be4e00f6594494ab50f9ebbbdef01fd31daaa1de5957b94d2da15effe37e11a3266f02c3f22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\d8a8ca88-28b7-4f65-ae27-960d3bdc0199
Filesize
12KB

MD5
81f7dff8d9cd7f5fcc4438c83a641f68

SHA1
f3634c0591beb395846770f8ea0e1cdad7d5b992

SHA256
c7420dc90ccf532526aef8b6908bf740bfac94efe15c2828f306a101afda036a

SHA512
933aaa3bff640daceb67628f1fbe865b6387499e18574f27280a8d9d4ca5bbc78e49e9f78f79b206b71024a9859afd76da0129aba1613571ae2279db66b78fb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\prefs-1.js
Filesize
6KB

MD5
4ecd9370ef10e8fffd253910039bc957

SHA1
0a9a7a4f6c09cc726b2452e146345a59bcc30189

SHA256
a2fe1f4044d58b70028ca440488ba788ba1cea78f71af3d09aebe1096db25083

SHA512
d2c298241399b3837b41277b02584b76037430205b39359301b321bf545db30e3c43e7eeed7262f323319a9be060c90089cefc5dbf8dd1c1b5563aa74d7bb4ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionstore.jsonlz4
Filesize
885B

MD5
03520fc4e7dcea94a7fe70c0c1c697c0

SHA1
a261bde3a80e1fdf2ff69549d1303e126cd9a63c

SHA256
2abfb59c69bc66ab526e297b14056eb73d972c922467ee85a34be13346fcae29

SHA512
a8744591b8398a8d65c146808852c29cf96382159f955586e1187f60571c25619a37a2b10e216b220d64899d584ed0b599443dcf8e7a4fc8821dba23f0b7390d

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\000.zip
Filesize
119KB

MD5
f5d73448dbe1ec4f9a8ec187f216d9e5

SHA1
6f76561bd09833c75ae8f0035dcb2bc87709e2e5

SHA256
d66c4c08833f9e8af486af44f879a0a5fb3113110874cc04bd53ee6351c92064

SHA512
edbdc1d3df9094c4e7c962f479bb06cdc23555641eeb816b17a8a5d3f4d98f4d1d10299fd2f9152d30e3fa9e5b12c881fd524e75612e934b287109492ee1520b

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip
Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\1236.tmp
Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
\??\pipe\LOCAL\crashpad_3108_NPGTXTPSLXYWKQWA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2324-1532-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-1540-0x000000000C720000-0x000000000C730000-memory.dmp

Filesize
64KB

Download
memory/2324-1507-0x00000000061F0000-0x0000000006796000-memory.dmp

Filesize
5.6MB

Download
memory/2324-2409-0x0000000074270000-0x0000000074A21000-memory.dmp

Filesize
7.7MB

Download
memory/2324-1524-0x000000000BF20000-0x000000000BF58000-memory.dmp

Filesize
224KB

Download
memory/2324-1525-0x000000000BB40000-0x000000000BB4E000-memory.dmp

Filesize
56KB

Download
memory/2324-1528-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-1530-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-2376-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2324-1534-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-1535-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-1506-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2324-1542-0x000000000C720000-0x000000000C730000-memory.dmp

Filesize
64KB

Download
memory/2324-1544-0x000000000C270000-0x000000000C280000-memory.dmp

Filesize
64KB

Download
memory/2324-1546-0x0000000074270000-0x0000000074A21000-memory.dmp

Filesize
7.7MB

Download
memory/2324-1547-0x000000000C720000-0x000000000C730000-memory.dmp

Filesize
64KB

Download
memory/2324-1491-0x0000000074270000-0x0000000074A21000-memory.dmp

Filesize
7.7MB

Download
memory/2324-1490-0x00000000009A0000-0x000000000104E000-memory.dmp

Filesize
6.7MB

Download
memory/2324-1961-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2744-973-0x0000000002A90000-0x0000000002AF8000-memory.dmp

Filesize
416KB

Download
memory/2744-970-0x0000000002A90000-0x0000000002AF8000-memory.dmp

Filesize
416KB

Download
memory/2744-962-0x0000000002A90000-0x0000000002AF8000-memory.dmp

Filesize
416KB

Download
memory/4768-1001-0x0000000002870000-0x00000000028D8000-memory.dmp

Filesize
416KB

Download
memory/4768-1018-0x0000000002870000-0x00000000028D8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads