badrabbit | hxxps://free-content[.]pro/s?tBWy

Analysis

max time kernel
598s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://free-content.pro/s?tBWy

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000237e2-2186.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3244	BadRabbit.exe
2880	EBD0.tmp
4072	BadRabbit.exe
1712	BadRabbit.exe
1592	BadRabbit.exe
4424	BadRabbit.exe
4184	BadRabbit.exe
2656	BadRabbit.exe

Loads dropped DLL 7 IoCs

pid	Process
1648	rundll32.exe
3728	rundll32.exe
1140	rundll32.exe
4480	rundll32.exe
4428	rundll32.exe
2672	rundll32.exe
4600	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
304	raw.githubusercontent.com
305	raw.githubusercontent.com

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EBD0.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4300	schtasks.exe
3220	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{5A32E8B6-B0C6-4B7F-9F5A-8B0A550EFAA8}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 140504.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
4664	msedge.exe
4664	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe
1256	msedge.exe
768	msedge.exe
768	msedge.exe
1268	msedge.exe
1268	msedge.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
2880	EBD0.tmp
2880	EBD0.tmp
2880	EBD0.tmp
2880	EBD0.tmp
2880	EBD0.tmp
2880	EBD0.tmp
2880	EBD0.tmp
3728	rundll32.exe
3728	rundll32.exe
1140	rundll32.exe
1140	rundll32.exe
4480	rundll32.exe
4480	rundll32.exe
4428	rundll32.exe
4428	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
4600	rundll32.exe
4600	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1648	rundll32.exe
Token: SeDebugPrivilege	1648	rundll32.exe
Token: SeTcbPrivilege	1648	rundll32.exe
Token: SeDebugPrivilege	2880	EBD0.tmp
Token: SeShutdownPrivilege	3728	rundll32.exe
Token: SeDebugPrivilege	3728	rundll32.exe
Token: SeTcbPrivilege	3728	rundll32.exe
Token: SeShutdownPrivilege	1140	rundll32.exe
Token: SeDebugPrivilege	1140	rundll32.exe
Token: SeTcbPrivilege	1140	rundll32.exe
Token: SeShutdownPrivilege	4480	rundll32.exe
Token: SeDebugPrivilege	4480	rundll32.exe
Token: SeTcbPrivilege	4480	rundll32.exe
Token: SeShutdownPrivilege	4428	rundll32.exe
Token: SeDebugPrivilege	4428	rundll32.exe
Token: SeTcbPrivilege	4428	rundll32.exe
Token: SeShutdownPrivilege	2672	rundll32.exe
Token: SeDebugPrivilege	2672	rundll32.exe
Token: SeTcbPrivilege	2672	rundll32.exe
Token: SeShutdownPrivilege	4600	rundll32.exe
Token: SeDebugPrivilege	4600	rundll32.exe
Token: SeTcbPrivilege	4600	rundll32.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4520	4664	msedge.exe	81
PID 4664 wrote to memory of 4520	4664	msedge.exe	81
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 4496	4664	msedge.exe	82
PID 4664 wrote to memory of 932	4664	msedge.exe	83
PID 4664 wrote to memory of 932	4664	msedge.exe	83
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84
PID 4664 wrote to memory of 1636	4664	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://free-content.pro/s?tBWy
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedb2d46f8,0x7ffedb2d4708,0x7ffedb2d4718
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,4690533590563960280,16142695363913416508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3244
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1433449272 && exit"
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1433449272 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:15:00
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:15:00
        5⤵
        Creates scheduled task(s)
        
        PID:4300
  - - C:\Windows\EBD0.tmp
      "C:\Windows\EBD0.tmp" \\.\pipe\{01AB89EC-D384-46D7-B9E5-C4E3403A5AD9}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4072
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1712
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1592
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4424
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2b4 0x4f0
1⤵
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1332

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4184
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2656
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
833cfd7b533697e0f03a11a07f7f4880

SHA1
abb1e1951b827f1da02e7bcb878ddb64169bf540

SHA256
07cf684135bb2a4c38cb21b75c330e82a1b4c1302d563197697266d7f43bf231

SHA512
9706a03c681127e5ad45c3ef5f5af3154979778d99deb62bf195f0fb22bc8dff13721d36e2d81926c199adfc21d4dbc7b85bad5a50a2958a46a006a947cee031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
07335fbb278b12973bc0605ac530b3c4

SHA1
a4fa3e8899283ea40b4a045f08e3d5a9ec2d5ccc

SHA256
1019fc98de303d3da86cf535957681cc8a3671c3a0d9fce08d0a0ff3cd829e39

SHA512
bd10663aba7091d50909b77a4f8e23fcceb31511faa7b04317fb3b6065959c2d10f655c8e4a90b97bd3fef8d0b18c8bc1c875a7dc1e8d8c95790091388669357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7cbba316f47bc2ae5222c557433b5fd4

SHA1
2b311315aa6d341f926ff1f2f169eb09a6d44e8b

SHA256
905b41c9f3f2e3c26504b1c3ba9dac9643ccbf0dfcc8c5ae20daed58da946cab

SHA512
0a926641333fd60576cc278212edb4c75027e9c53fa944450f36636dab034fd70347a0f6a0146a0676ec60134fca7fa1f5d5e8ee405922dc57389213e2e3199a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
58ad1c7b07b341a22540b7d29b07407b

SHA1
ea0460682d96281e5aeb7c7a77bbe50b546f24f6

SHA256
f72f9ece04b358ae27d02bb48b3e635d17001a9775d32f079130577fffc88fdc

SHA512
805d78883cfbdb620130d784e7ac436966123321c79b7a400a411509a604e38fd18a2eba601b729dc29b97a6bf70691c1cbdbefc15e08a44afb31cf793f40eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
10bd7d24000933b4a9b0d2fe13b390a7

SHA1
e696fa4b3cc2190f071c5cf3e434cae2f9838341

SHA256
cccf8fc27b405d70b3664894858ff4ecd35015b95667de800ffeab26782782ae

SHA512
2ab080ef5433415a3b0725030a3371ef51bbd812c96dcbb97f528cc74b852a8d82e55cf727acb113176bec6a7bdf0ef67be92f2947b41ef6c084060f904d7dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fc6ee78b41c07a54046eea2a4d6027a0

SHA1
81a5b03b9a0f7f9d550f7e32ba3ef8098ef2d7f8

SHA256
7706e9ac211c7838683a3204841234a1207ae5f27823048989abeb7c641b32c2

SHA512
007b82fcfecbacee275f0577348dae158ee21103721b922d32bd4f8bdaffeb40809d66f178b5e127dd9d748a08d3ce6c29f1190d2f8ce6729c536702b2a8f7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fd36cadbbaede4fc25c70769c68ad2bc

SHA1
7ea1ed76cc0cc085be39df5aa553f377d7262638

SHA256
ceacb330c4d65f445f0d8d9677cc6a08588fb40f902a85a97ec169b9b86ee18d

SHA512
720383f7ec3118ff30245efd8b261d464c4004aecc6ffd3bb3f89bdee446c08b95b62a60d5e3aa741b7daa477f834a1ecbb892a9b94afe98a305610c01bd2a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81810072d5860087eee57961de942f3b

SHA1
565ec61a0d64425e4d64547f3e38eaa49cb337b3

SHA256
2b5a38fba2d82480e566a2a7d65ad2400241887ec777da1ac2ea6fc504898720

SHA512
02f8c26acb539dcbe76befc16c94c3a7d9c5688b41deb93a56bcaf7be3070274461e04f95b1b63e209771916ad34025d361b2fdcf85e63718f5c557a97376782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d06d3b9de522479eb50ec1decfed039

SHA1
6ba45ac7cebfd3eae0deec27355564f9c6043dfe

SHA256
e7e1e8abfbe704012a993f83297947c3f0c107d5f52a975709fff4556df90c28

SHA512
3ec24d9bfc58561cc4f36d95b3241bddf8544c0c00ff5a15bcf57160a96e59fb1ad390682a9722e69ed0590a51652d3fcefe8f1717b79d68073c0f122b031348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e77317ec6b1b4d95bd831e789b84d864

SHA1
4509201f7b7e4b3c0dcf7e5cbdd1e891c28d95c3

SHA256
cade0862fad28e1234efa6711de65b207e7f93affb1c0ca233c059164624323a

SHA512
4abf1b24d2749f19cf1b1fbf4348d290773b0a75be1b86c1312c2f0a51fb0ea661fbbeb94adf945000837113399955b2af6139f7d78e574ddf60a5827959fafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4851f05c5ead8b700d0c3c7c4249ebc4

SHA1
a41713c3748f90fafa618806c69c85554e661d7d

SHA256
3bb241c79723a8a5b2931ce492b151516ffc6de72b6adbd9255e165861fd4b0e

SHA512
0390b398cbf475ecee221869033a966883707420945ab6ea7df661ae9b8c73b3a0d01e63a6569c9c028bf9784e3e14a0f5c814cf05be6fb93292bd9e87c66cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cab894cdd90ed3d1b184b3e09bcb2d2e

SHA1
86af59ec4db9cb80e7e68f674dbff3f58a968966

SHA256
7bbbd72c4c4e6fbb2de0f42c80fc5928b5e464da8638118bee5c802e530609b6

SHA512
e7c71e1de8a93d888c93a52fd54d51bb5fe85f34f296a4c4b36e0637a66dcd6782db2f4a227d894bea3a4d118a08a0e01887ebc8f495d32f776b3f55a1b7581f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
52a262c7e87154e775625966aff33c3f

SHA1
9875141a7d036f04fa9ff3b22022e80cd02f8363

SHA256
3c2bc5fa84d675996d6a7f9dd9889e4b7ee2db7d264f52b1e9a01f5952c8269d

SHA512
199bd4aa2167561e3ae1a3fa0a89ee88a06689ccbbe01be178cea871bcfe3b9f2d84decd7ff027759a9fa4487556dba94b8abd7fb544a18d241c0bdbad3661b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7413c24c55a1a97197b211d79f5be19d

SHA1
d2bdd41ab6546004db6eb5adfe092c679c11e119

SHA256
1797d9ef00f3fb02272a651daadfd145f2caed19e009687edbadcbe01d9c1342

SHA512
5b57673f33bd77d61442ec71191a84e545cb5c0aeea20516e8a90542e5ebea8ab1fd191b459b6eafe6f3ae3116f569bef7e3f16d58a14853ad880f784e8c4507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f1474a96e7050060c644576d6198cccc

SHA1
421bb75afc4bb18d73475d5f107611e987a79d3d

SHA256
1d548737c6e87d6602952f01a291c4375ac9b95787ccbcd4d43f537eaa70e3e0

SHA512
005668f258152af14fab0a54b066ac985d2e09fe3f2ead0ea7d423902a0a0e8fcb8ae7ff643dc32490318f47530ba2faf959d14715853d306c267fa78acf4708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\bc3648ad-ee41-46e5-af27-c427e2ce8c1d\index-dir\the-real-index

Filesize
5KB

MD5
c86de3401d904e63c600a67673b0c322

SHA1
402d4d8f8a16df96eee0db1e7cef999d6fe4a087

SHA256
8fd0f2daa8436df56a16fd0dd9c613f1c740c51ab2f70fc02b6735120b10db72

SHA512
8927c8eac58ee100d8f51d9d8c93d99c57bc38614e547ea698fa3462ddf820f6ac669cddf031dc64eae49a6ad9d75d18830bf3bf74edbf4536f682348eb8f593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\bc3648ad-ee41-46e5-af27-c427e2ce8c1d\index-dir\the-real-index~RFe5e8a5c.TMP

Filesize
48B

MD5
b7c52f9e2b8d713c6daeddffe06cd929

SHA1
6a8b6c9cfa5a8944863e4f8956d12420385bfb5a

SHA256
db553db8c5776ed839e38805ff76b8ea1591ae010cac076eb47136bab7b5196f

SHA512
042ffbe09de0383bc6efbe1ff159eb767c1a2cd35fd0a8130f9f79650399933b9155e6a44e83f98c54b47607bf782037973cca2b1e32fad064616a571b7b84f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\index.txt

Filesize
93B

MD5
f24c19063929bb1a6131f127a14a4348

SHA1
bb74cf534da94fbf12c0454ef32d77efe361c43c

SHA256
97ae9574f6bcdd44ec2c142401d0bda4655471f102a715f3311fd50693f5b51e

SHA512
ad21627eb9608bf99c56a640dc19274e8a762a32e63bb59a5449e84792b62ee01c7c85de343ca80934e2d7cf38d28b2f94b2cdf5ead74e8414112ca89f490850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c1eb0cde2406b6af565f825dcd492589d40ab644\index.txt

Filesize
89B

MD5
922c6d386e77830bd6386a82947c2bcb

SHA1
c934df4e798dbdebc24e39790cb99c051993a3a9

SHA256
da111450847457145af09c1f3a77c3d606689b1ce674365ff8138bdc38383727

SHA512
1adf5c4e9cbe188ef71fc02357c426a5efb4eb74b0594a0375148e5c39265f244889aebf5ba872ebf9c4fc236cee042acc15289ff01c1fb378f825ba0a9d012a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f4837f870ee52e2e44f8934ca2aca109

SHA1
78f6bc39babc087e16eb1bbc7d685bef432006ac

SHA256
487d60d2dfa48ebd7743ddab4c43947fb51c7e331918c664b61152e502d3169d

SHA512
f37618b580205cf3d485eefdf6814512e0aed8557da8bd0434701092416b289bd421e6d1edead648de7e39cffb59fbf5dd186522400d0b93caed0a66194770ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5e51a8.TMP

Filesize
48B

MD5
213a02ba423ba1e525255fb2b6b3cdc2

SHA1
13494a5efcf68782ab63342b0ee0888ea0cff679

SHA256
46c2094249703c26425dc44707ed489f111d2822268eb8e0b6c6d2c2bd58836c

SHA512
6f23c7cfdb2938d714d2ff467c400b3b16bce2c0d7d03a87daaaa622af4b63e8746f96319d5ce0689bcc78b72274b268836e3fe4fb875ab6259fff7cc94ea192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be9df7c103f5f6f6d9011fd521d3bc41

SHA1
558c96117311f3a9bdee42d2190eaa2d7b9110d2

SHA256
bca63ee0f420e85e8b4e27f9afe59f9a7f22ceea4fbfed67ae7d0852a5e09064

SHA512
97c47b75b554dbaaf4916ad19b5cdc4978b66c4ccefe98057bcb86f7c0d4a18227e32dbf69ddb29a7a821c02155ce5362ca4f1fbe97e5cae7677586ab2bce949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a7e5663488d24c9cd73b7b11e3bfa6ab

SHA1
14d33814de01dedf08a0fe2ad935a57cc28cad8d

SHA256
032839c9155ac3ce56bdaa0878ccb7b421578732a45673f7d67f2c4244f06a5e

SHA512
1291e20c725e2b39d53070cce7b5bda987c14317874bf4d5d0e9b90ec9fbe51669b54be5b64466a76ad833aabc41e96ddcd73cc6cd3d48dc44c75551d44a7149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42c3c584af384dcad57f9ef19d45d005

SHA1
bd28bf1bd63031a58ce31424f0a8c22240415e42

SHA256
84da2cb3bcb927bc6d7401d640ff8100e5b5c70330561b287e6d13080b2a336e

SHA512
41240cc3148583ef39426e5eec4faa961f8a8c614e81a14c93f32859d2b268c6a8f7499e0a8ad0fbdcd4108d2c6229050eaff9809d18047022fcc2c7097f94d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
485519664e66dd4bcbd65f735e1f11cd

SHA1
39239d89ca23648150537cdb71a45de537ecb6ff

SHA256
dd5afbd9a6296ce8ca88c389ccb573b69fb20e669384f450f5c94303e8432de5

SHA512
e8c0e458bb2be26aa1db11156974fe513e59c810da5fc67112cc4a8fecba495e4a66e6d544770ae640499d6979ebbe81239e40ce1bbcb1e8295131ade2a7ad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
90633c228e8529f26c8f87245a5f25a8

SHA1
094c097c02ec4f00376509f80042893008416ad0

SHA256
38df63a439a6127ead30f6f8be95b9252fb1f59928d20c970d350d800c4b999b

SHA512
065c532986cffaef7e61e4f4295b278c010403f1c994e24722b32340b9902ec68d6f96015a0456b01028dcb4e6ac0e1c2df406d539b5e5e8a20cde60485948e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
507a1e878c55da6505755de875fb0497

SHA1
c94a945b23f4ab5b2bfdafc6e9dcb7cb248d342a

SHA256
668ce5c96b230f8f50718f21546118fac9bdd025764b2d084cca2a3e1137b886

SHA512
e70bccae400323aca4cbe4f180cfaec4689efcb06ad0c43ef80e48237d3faf67926c960fb2d154fabc1a0786d5fbdd8acce6ff369e3297842236808af34dda56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b5afc3c16599999f5f56e82587a07739

SHA1
215d38dfc68217b616c62223c17821554033f9ef

SHA256
adc04d9545b8adf2a39ccf863fa2e626a38626fe3d2565bfea7bd0a8c713a67f

SHA512
26acbcaa0b532584c08a0168165e7ea79c2938fea0cc577508a5e42477a7eb4f3227f29c5594d660ae1bfbd552f53420325b08a8d86e8a138ec70dd4b2d77793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
25b7a25535988be227ab8a05bd11ee29

SHA1
15e4da71dfd0c3a92a23629ca5bdf2cbd52ecd27

SHA256
4f3a68dafb4c9e0c4c8cd5189a5686352bce0c7c135a77439386ee7388c1da52

SHA512
fdd05ea597ebc0af8f0d082bc7b4c20efef4bac986c63938cc5eb93c6fa23e2416d83f89320853e9a047133be5317819d8a7f855819d77ee663b3602d1973580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5dee79.TMP

Filesize
204B

MD5
b76024740d8681a90f2999282126bc8a

SHA1
a673460e250bbf0536cbddb2afb1e6274daced1c

SHA256
5c559746e0903c39664ca2f4d995b8012f2c54e9d304ba8e72fa27ab882c7598

SHA512
b49fc8c8f64f3ab928665a271c4ae087aaa560a681d26f1bdd3e91079a324e746661ce26993a87941cc8ef613df148d89b69b6e164230766ec95d753da107042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44790339b5102df1b6cd4fcff603166a

SHA1
f679b1d6342f088a36a9213e5f301af96c732516

SHA256
0b4494af46758b74b8072828007783da35a203a0e5cbd601a611c7027bd0ad0a

SHA512
a70b58f82bc7c4b008901dd289ae739485da234fc87335f1ff7f78b2e98039e29e7bff3488c7fbfd7a3d273c8c735011dbfb31ea97143d08d7199cf250c454fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8787f24af55d8b293caf320ce40fa7db

SHA1
205ac1fa0aa8ee74ed697266cc2692cf731cf684

SHA256
261df6126e959aef25aa3616c1ce8731409d3c2ae993c6b20de8e62490c0e6ea

SHA512
dcf2079fdcf0bcf08b68f8bb41776eb984b8551566b8ea26a076ac5892da0117e02bfd09ae01d6df9a0ee1d86bb660317dd685a6e2febc3675bf06b3e4a8eb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
38b7b2b266e11bab2743f105a6ffc0c2

SHA1
1f293a9fd7ea4910175e26845967d862a90348bd

SHA256
b0e8151b67416cda070b979fed6cbb470ea82f6b9bccd4bba662b1659d59663e

SHA512
e53d567ea6dfa612763ee49c49e7507d62b22cb317fde664bdbcc117982267700e878cba024b21eb3360c42cf829f1b4af8101a2bb6fe9e93f60b105219731b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 140504.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\EBD0.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1140-2231-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/1140-2239-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/1648-2180-0x00000000024E0000-0x0000000002548000-memory.dmp

Filesize
416KB

Download
memory/1648-2177-0x00000000024E0000-0x0000000002548000-memory.dmp

Filesize
416KB

Download
memory/1648-2169-0x00000000024E0000-0x0000000002548000-memory.dmp

Filesize
416KB

Download
memory/3728-2217-0x00000000026F0000-0x0000000002758000-memory.dmp

Filesize
416KB

Download
memory/3728-2209-0x00000000026F0000-0x0000000002758000-memory.dmp

Filesize
416KB

Download
memory/4428-2257-0x00000000024D0000-0x0000000002538000-memory.dmp

Filesize
416KB

Download
memory/4428-2265-0x00000000024D0000-0x0000000002538000-memory.dmp

Filesize
416KB

Download
memory/4480-2245-0x0000000000C00000-0x0000000000C68000-memory.dmp

Filesize
416KB

Download
memory/4480-2253-0x0000000000C00000-0x0000000000C68000-memory.dmp

Filesize
416KB

Download