badrabbit | fc8809545e851fa681b06126005ebea45a76bbde397de81e041f71ceb9827e38

Analysis

max time kernel
211s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 11:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware
Size

164KB
MD5

fbd2b555c4c6174e3bad0d54310241db
SHA1

694b86d071a6a89a908e8ebf9b30cc518c728ff0
SHA256

fc8809545e851fa681b06126005ebea45a76bbde397de81e041f71ceb9827e38
SHA512

71043011e22485c4196fafd4fab5830fe09d85616f15cb24ad9fd4396c4f3c2d072293026e57112acd044ec20159305a91556c50edbb62fa6d06656aa4d35044
SSDEEP

3072:I8Lya4KM2bVinYjqPok8ValLPfkgLDoa3AncKEWV+vuI/1Ntn4PB1CTjYCFe6Z2U:A+oj52n9dH5M2vkm0aOCl3pId9Rf9Tvv

Score

10^/10

badrabbit mimikatz ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000900000002340b-543.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
4480	BadRabbit.exe
4160	F77A.tmp
2236	BadRabbit.exe
5044	BadRabbit.exe
2020	BadRabbit.exe
4788	BadRabbit.exe

Loads dropped DLL 5 IoCs

pid	Process
3148	rundll32.exe
3328	rundll32.exe
4648	rundll32.exe
1620	rundll32.exe
6020	rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
130	raw.githubusercontent.com
131	raw.githubusercontent.com

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\F77A.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a5ebb09-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b845218a50d4da01	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a5ebb09-0000-0000-0000-d01200000000}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652580750173492"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a5ebb09-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{DBA7A197-9183-464D-BC8E-77F291287EE1}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 729952.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2276	schtasks.exe
1312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
2636	msedge.exe
2636	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe
4996	msedge.exe
4996	msedge.exe
4792	msedge.exe
4792	msedge.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
4160	F77A.tmp
4160	F77A.tmp
4160	F77A.tmp
4160	F77A.tmp
4160	F77A.tmp
4160	F77A.tmp
4160	F77A.tmp
3328	rundll32.exe
3328	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
4608	chrome.exe
4608	chrome.exe
6020	rundll32.exe
6020	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	rundll32.exe
Token: SeDebugPrivilege	3148	rundll32.exe
Token: SeTcbPrivilege	3148	rundll32.exe
Token: SeDebugPrivilege	4160	F77A.tmp
Token: SeShutdownPrivilege	3328	rundll32.exe
Token: SeDebugPrivilege	3328	rundll32.exe
Token: SeTcbPrivilege	3328	rundll32.exe
Token: SeShutdownPrivilege	4648	rundll32.exe
Token: SeDebugPrivilege	4648	rundll32.exe
Token: SeTcbPrivilege	4648	rundll32.exe
Token: SeShutdownPrivilege	1620	rundll32.exe
Token: SeDebugPrivilege	1620	rundll32.exe
Token: SeTcbPrivilege	1620	rundll32.exe
Token: SeDebugPrivilege	5096	firefox.exe
Token: SeDebugPrivilege	5096	firefox.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	6020	rundll32.exe
Token: SeDebugPrivilege	6020	rundll32.exe
Token: SeTcbPrivilege	6020	rundll32.exe
Token: SeShutdownPrivilege	2800	LogonUI.exe
Token: SeCreatePagefilePrivilege	2800	LogonUI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
2636	msedge.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5096	firefox.exe
2800	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 3700	2636	msedge.exe	89
PID 2636 wrote to memory of 3700	2636	msedge.exe	89
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 2676	2636	msedge.exe	90
PID 2636 wrote to memory of 3612	2636	msedge.exe	91
PID 2636 wrote to memory of 3612	2636	msedge.exe	91
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92
PID 2636 wrote to memory of 1492	2636	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc549b46f8,0x7ffc549b4708,0x7ffc549b4718
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6745277000465072806,6504676145064464567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4480
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 479475443 && exit"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 479475443 && exit"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:58:00
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:58:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1312
  - - C:\Windows\F77A.tmp
      "C:\Windows\F77A.tmp" \\.\pipe\{2308DB0D-88A9-47C8-958B-69CD639E60FC}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
      4⤵
      PID:5780
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN drogon
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN drogon
        5⤵
        
        PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3632

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5044
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2988
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1940 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e975c446-5375-42b7-940d-5f18320df7f2} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" gpu
    3⤵
    PID:4180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 25793 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c13f7b2b-9da8-40f7-855b-369923a7b21b} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" socket
    3⤵
    - Checks processor information in registry
    PID:4908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1408 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3028 -prefsLen 25934 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e536ed7-3914-42ab-8ee5-27c78cd8fba4} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3944 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {811673cc-d94a-4c7d-8f39-5e47f42c4995} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4808 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a198ebb1-9d12-4d2e-a282-02fd6386f0e9} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" utility
    3⤵
    - Checks processor information in registry
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc69e50-220f-4968-ab92-c45243465bb3} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5464 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8684c39c-a115-41a5-b1dc-ec73c05c4fa3} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c5aa1f4-c790-40a9-918d-bdf57cc6f42c} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 6044 -prefMapHandle 6040 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cea7c4f5-6838-486f-a174-b3e0fab7f88e} 5096 "\\.\pipe\gecko-crash-server-pipe.5096" tab
    3⤵
    PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc5cb0cc40,0x7ffc5cb0cc4c,0x7ffc5cb0cc58
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4468,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4416,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,13038100564657905157,17142611078598621394,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3180 /prefetch:8
  2⤵
  PID:3248

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1840

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4788
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0055 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3419463127-3903270268-2580331543-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

Filesize
204KB

MD5
14146d08fef3312c0e9ad7d734daa6b1

SHA1
2df8a78a227c0d812a0e730272309dee2969a006

SHA256
59ac62b0436d6a2d968c639442dc12061d6356b94e165d62367864c79924f327

SHA512
10478b8d8172a13a4b8daa3b79d7aae11d83a61ffa04ff50f311aae7d9cbb9f80530b17de698c6deabcc6acd7792ecdc8d4d51cd8ba0037dce46b8b1968f0ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
173c67fa76aec963b1cdbdefe15e2867

SHA1
72092551e62a6eed40919352074e74084c9f635c

SHA256
46e40de939f4e67d8e2e0035e0b18da992fada543b73d9cef431b94b0d59541e

SHA512
36c57a9995aacc8cc2ab655779a6f8d5fac9c726cf2e87dfd73ce5417be84dbfcdc9752dfb6ec34aca08acc4e80cd2455bf676c184a3037bd160f586c8e63513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
76dcf0d8887bb619057b91352c4666ac

SHA1
67e5a4ace088dcc855fb5c6375d9864c971a4910

SHA256
6775f694550ca84754d5171d0ba1f6326dd516f503739984ee9caac1b3b10a7c

SHA512
51fc77cec77c5d2971910f0b7587211585d18dc090b7f5534e93b9cdc8ef4acf3a90a40f9bf0f88dc2e5340462282f9e78688919255e2cae96a4ef8ddddc8067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c5b2f1947e855012bf6617ee412fa2a2

SHA1
bc5873c2b06d7a456fa36856b1e5ef299c1286d2

SHA256
cc75d153914687b0c62591c5014da3bff6230b3ab77acef088dfadf765cf2189

SHA512
075f7b7a4b9b287459064add27658f66ca892ed6f2833f59026ee6ed337b37bc4a52625a3f2fb33fa79b38b0cfe4438f2e770651edd0834ea1704831c19041b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f86aa69473ce488366dd7506b3a9181

SHA1
06bf631050d9528e7db17ba476d613361f8b093a

SHA256
39142acca585a965f661dffdc94e8b68b6a8c387cb5dcc1d1eaa31d320731274

SHA512
4853f9f248da67e78168edf5344c3fb040b79c2a70a0eedba3acd20a5a721e08e1cb3576894f6d5375141f9d6e348f54e32fc82a51d479127cbd261aaa4ce9a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5abba5c0edc715463e4fb577c4c4d80f

SHA1
6c6317884254737e09c0be51cba3996c70458350

SHA256
41b1f5eded8cde775ff2e9c6676eae30d4257295d3229484c5bfc7f5d2d33bfd

SHA512
4645b39e45d2f5f8174582833dea51b8d376a2b21f80cfd3b6ef64d766f775a4ff57242834c5bf32b03ef7c452bc617ff19a5bbf551f9cd13814221070501cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
8feb9c57e578b26ae4953ec64f9a02eb

SHA1
7100cecc1d7ce79915943b6f656c4688f816395a

SHA256
33c5d1a5ff79e931b3f0ef45d24b57eb658412090305ce059aea1eac00887b4a

SHA512
bdbfbae1a863c708b406681d3a1fde79d239adfe85e85c22f9e7668b114f4f4a394fa42390ef5a9a4fd9c8dc5d517ad76d34ef0b58b8cc00ed0b4c78e8863cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1f1411fca1e7628ec6112727ad168d69

SHA1
5c47c00b456ccec8f47f01ce68baa06784796dd1

SHA256
5139023bcd0fc5d6d8d8b2d7ba502695f36f9745714fc4ee39ceb05e5d6e9425

SHA512
ccc1c775972141c55c58a092a40c07d5934546e0bbca7a3d92bf29729ba1d4631848262d80e0e281292324a6cccf715c34151466492d98add8fa2c80b8e34ad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
741B

MD5
0259b94a40c69085ae936df6fe62b7b7

SHA1
67b4a13931f9a3e6770188e647b36034d2c842f3

SHA256
e7ae750dba4859c7f50bf12b1ac57579f833aa45412ae79c6118fc4a5ca3e232

SHA512
8748ff83c8823425175e463b90f7894a9e2a5e221700c65f4d6386f7b1dc90ad6bd9a3a88b64a49809b062b09331f5f582a9d9299e3fcafd9c6161f23da722e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77310fb1d75222b31007e03635f535d9

SHA1
1d3f9ac53776d2da8ce506f8608e2795f1c3802c

SHA256
2e88536add7fbfc060394c1663a97f5ddbee66a0353eee8f0042c5d895413dbf

SHA512
01a3cd8b07f9c93b3c2fa4b6c4f58f8a9e0333e04ffeb9de35f57ed868fc8a141e93b1d3e7cabb5a579318356d3370a1e509107a5acab3a76352ac5f332c0ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e1b2d601e3ab9601b29220e4f6f31bc

SHA1
a8ad8b87586bde4e235fa04f758714cfd7bf0642

SHA256
0e9f7f55b3af7696f0d897a28aa415e22e89e99c602e63acef8e8d85c17c6fc7

SHA512
3611b8c907b40e3696eaa3167cc67c8775dfd398d2db8e340a5061b770ee07329d6841e02faecc6f4af3d90868b1ea1a8a188081dc394d85995bece9c2780c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9e7f550145a65babd4ea2fd7e9d471e

SHA1
4ab1559490adc997e3c49de99afd0ef418245879

SHA256
c74c15623a5b842ead8d650f99a80862bbf976020dd1be21e9a23e7af14e2c5c

SHA512
c3875585d97a5f578c997835f876e09fec1a2ef842a4228d7bbdf14df36d2c741c09859bbfb3edd3e332a07395614a8034a7870713d6782a7170b30ff7ea110e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0057f640f560640346d4131994450d88

SHA1
737cf48f633ee4477f600707764fca33fa6e669b

SHA256
3d9022e8b0eaadd08d21d35bd7a5da06e3ecff4e2a54347ac9aff48049460c3a

SHA512
54f68815e2516192aaef72b15b946f3144a186271a974693288106683f8a391e6deb66181064c6b9db8fd1cc7aaae44fd3d91b07fd3a16804a833376051602ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf180b1c153fe9975cfb97b8267c48a9

SHA1
12089202eaeb018484d6c2374881c02a9998a51f

SHA256
920f0a73909d22cf56dea1cd476d44ceea8312f40cd64a4c35ebc866e0cfd204

SHA512
f88ad4b3daba90c8281956f5ea1c2750d2f91d513c44a9b3d8a97c72dfc3cc8573d81551fecbfe58e97902e163b078224de692ab03973be4f140b23a54d3ff36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69a93e8f29cf17887b46e25d381408cd

SHA1
1493ab7b2a03a41fcd61b17e33eca828497e4489

SHA256
019476200b21a3f82890961a0d921603082a200ca42cdde31051f96212b647ac

SHA512
a0d63198b982066710ceccaff35c836f87d0eb7a558db93b458650a8c2fdbb9a59eb5dfa9708ac0aea333c4f943468c0760cb5af773a2e309d529032917ad08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
670efee2e4cc9ffab9a13dea96647843

SHA1
b3e1262d5d7bd207eaddaee87272bc5ded6dc8d1

SHA256
07b2f13ff3309544dfb060a90af2c63ba57e77a066309eb478a970e7deff316c

SHA512
f746bf447e70794a753273e02aa2042406d41ab1394277726520ff2d5255bbd56221eb5ebdb43535de42b4435845de86c5187bf9eb710faca2cc506cd2990eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf7d031bb23bbe67c0c4bf7476bd818f

SHA1
ec185a2e1b248a3efbdc91905ca1aa9d0e2caa91

SHA256
1f3f46ca911c623ebd2ffc0f1624a8c8c91c629ed9124e6749c22d9215a38e71

SHA512
b46518136ca87c2222a3a2202b83dc53dde60b397648f36bbcd3dac0ec05d82c6b61d01e542080090ed1af23cbc4b19406777441e219351fd74edf4def2f62b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0c47d0d503d8d956ab7c587236802bee

SHA1
b4b4e3d8a7fae54222cd68952c0da8b0ef3421b8

SHA256
661d8996ee6b504528c23711866f5b2426eda21de9d3fc626c743e8bd0455736

SHA512
597481afa12d140644285f11f7122651d967fc330e48bc46f0efbeff9bbe6e98050d9636cdf47543ca399cfcabdc51c0dc3a4c94a83947621ab73799d36c3537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
b3b49a81e5439f276c0f012fa51ac781

SHA1
c0b2ba5a21eaf181dba408cfd3dae685d1becabd

SHA256
bd2ca23c116e3cebf0d7b0460cfeb7d919fb3331ca3e6f461ddf300f3ba8b2db

SHA512
8c6b79a851fa32038a2a394ef8bf0202087d73452ef7b8e93ff921a88fb3b793faac5c84de8fab05eb19f60df6545f7e4124f11ccd83848074e54fb08faa58a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3df20710e1c371fedce3552fa17c09e0

SHA1
83ecb3404aab5753cacd32a9a9e631757b2e9521

SHA256
dd7a8090717664c9e43f4db5ee2b018ebdaf12d5a0a7674f7bef963e686dfc2e

SHA512
554f1d0d7ba44288fb7e833ca3c8e8ede7384fc5b0c7874d079d322b0de048d47643ea0ebf573090e0b3634e251a208e6ca4007f98998e529234509cfa19fe24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5843ca.TMP

Filesize
203B

MD5
cd0729a65baf203d3e2ccc145207553f

SHA1
6d97cb2de2eeaa91834d7a1dba5cc50ea576b170

SHA256
6842be624b867b4990bae8a849ba7578df2fbe3ca9a556db58c60cf636386368

SHA512
7627053df31ecc6a6cd5f574010beaaa6197276b9322a17e8049aa43a180823086976cdcb686da81bf5d1ecfa0df9d10798e1e058e352ceafecc3a9b3e725803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae1475fce78eadf3fd514aec7e1f8364

SHA1
692ca12f66ab25baa10353b00a06d80b6fe9d07b

SHA256
b2669caa78ff442636869c58dca225e393609b8af379846fff403803a9eec933

SHA512
fc50cd9ed4fc75e2275bae8a3b38e9489b73b84a6d2ac218e38822a999c075863952dcaafc96b9cdee3e58e26b1c052aa7386fe8b666eb70603f86b66e2c8f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
db2667470e210546b2385d5757722057

SHA1
05baef688b1244d77296fc285d016e3614b6c1bf

SHA256
a767849359262aea6075549dd6678aaee04cb975d36a6890c99a8b5dec0547bf

SHA512
dc82e1295e00b7c43594affc48e5543c2652d0f1231fdc71583154cc86d2f2876b1df6e22b9c6605223f93fddf6e8631fbe192e814b354e123d1d9b786db75d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cf1b7070a2669b7008c971f971dede88

SHA1
5557dbce364ac2e7b42cbfeead24b2cd0e177656

SHA256
c49f184e2f832bf59ec227c6cd36212bbee4617cbb4b05fdba09b0a41ac65a9d

SHA512
2a8ed29938d726cb45e88750f447b4cc577a4aa6b8a8813296a5e45d5cfc6a73555603db982cda1d651b5e36971d17f23757e39c2f6f22509e22aa89e410c05c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
0ec775718b43662cac39269856e287ab

SHA1
e327640eb0fa5ab642ae420f4b4a67611ed1feba

SHA256
85ab150a7c7e82e5d472e1b5682014b589d3559b0fb66a18589554a747636a94

SHA512
08b51aaa24664b11ac6cc03184fb6cbdd6e03c7cb694e99a8652027d1588a08d468e353cbd40a0b382180de32bacf6f8da6507172bd1e93ce2339f20f425dc3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

Filesize
10KB

MD5
7ff0aedfad1eff4dd393541f51a88644

SHA1
920180640619ebc48e1cd0e633db1f7a472538b6

SHA256
29255dd3626d4db8bea5c34770b8c6ab6f0b6453a6704726f9c534430f629c32

SHA512
65187325a0f0a3d7ebb0e71b68713d2ee8bb1f443f0f216add0bbbac22b0410ca5f37737401b397f895333160915d6590881a21bbceeb83e53863ae018e5c55a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f0f12e9eb90ae7ede4ba1b3a611d17fa

SHA1
6c844cabf626d6dd8dea082c467ede9da4c9e8a3

SHA256
c45d42c252cdb503f26b5fc8a37365e14fa2b0793b7826e34e90d1f15e0ff724

SHA512
9a870bf9fe0aa477b55e76a44089075c731c90b78c12bb7eebaf2f6e909ae785bcb9646f4c2547c286aeabce4df65ec14749ff24ab8cc226483e54033d3f3da5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8f9170804a037056fa89057e42cd364f

SHA1
7fb30d2a0b2725b96604a6de212659aecef9833c

SHA256
778caff43293714c74f8489d1e11ccf1c4f7538f0e57214512150a1b9f0a6313

SHA512
956bb67b94c5a831ab52feafda56cb16d56f3f3f2214b08421ebe673dbbf2ef8ed19b15acba1fc8329c4632ee48a140af442c6b22f726f2969c4c40d616317b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\45e156bc-e49d-4e03-afcc-11bf63f24270

Filesize
671B

MD5
63d60dfc23de7b3b8db8368ede633f58

SHA1
837e3f8f488c60eefcaf139e3f850950423161e4

SHA256
5f10fd61db39a990610a6e4fa46b49db43a351b865e8ff213955c22cdbfa9872

SHA512
965a310da424978a2033026c714387d6dc176f89a49116218cbfa6a3568c35881d690214b21b16e56ffd89f6a380beb68019ab41a83b24a4c829420a90827231

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\6933aba3-9491-4cdc-b109-b9e5ec820420

Filesize
982B

MD5
ba35a3da57f5af752c1a66eb8834da1b

SHA1
4c4e1f8a3ad34706a3ecb2b0a408a6c7beda16e4

SHA256
2521c9e4c0e36174fca210b448a735d17b70d0a606b9163872b349d95695de0e

SHA512
0dcee2ce11f38158233f4efa5853c6f1391f89fe45dddf87c49a037aa25cfb99d3b1ed650569257c9cc01a251a91d5b53c7a1021ad157012ccbd704d3081aca1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\ebf858b7-ec08-4d81-bfdb-58aa09312d6f

Filesize
797B

MD5
8f3e3d0b7d34d97fe8338256c164c126

SHA1
3fc8125ea1dae99ac5b5162ee6b1e64e63ec6e9c

SHA256
f5e9dbb5acb3a667a07772f45978041c488e0c57b1205a99acb46c396f3feb04

SHA512
8e93f4f4705222886b389310439fa8cb6630ec50766f623a7c682bc38d5aa9dcba794666608ea1e235e96c1ec1a97037ece869ed897eb78b5aca79e6cd0a8032

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\ef5b8b94-605f-4dcc-95a8-0668da813000

Filesize
27KB

MD5
3574832a6083d57b3e35a931c26f5fd6

SHA1
f993b1bd12aed9154c3a9c08611747989d32cbb1

SHA256
855f65743a39aafaf19dcef02fe6a3b3ec7320f525067a096ebef34005e2706e

SHA512
a2723d9e0e6d2bcede53342549c045b54fec43672c1bcc2b443cb7db38e38849c45bc5afbc9761753f1f7f9b12319a4f6d1903e7899c25a3aa326b55a78cc987

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

Filesize
11KB

MD5
3186846df6cc75588b5e79aada95f694

SHA1
f5bae21380de0593476f30f90661ac911b6fa558

SHA256
f1a4404dfe384436f9e914a91ef42c63a7433083f595384440f118fd357ebb60

SHA512
1e6776816c2399d4c87e78172f093cb0e171a660f3599c6437305707ca3a2ae9503e5e953d583a577a3a134ff603e5b25ec3d607ad40ca376dd53d30bab7c6a2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 729952.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\F77A.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
memory/1620-727-0x0000000001600000-0x0000000001668000-memory.dmp

Filesize
416KB

Download
memory/1620-719-0x0000000001600000-0x0000000001668000-memory.dmp

Filesize
416KB

Download
memory/3148-508-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/3148-516-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/3148-537-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/3328-693-0x0000000000B20000-0x0000000000B88000-memory.dmp

Filesize
416KB

Download
memory/3328-701-0x0000000000B20000-0x0000000000B88000-memory.dmp

Filesize
416KB

Download
memory/4648-706-0x0000000001340000-0x00000000013A8000-memory.dmp

Filesize
416KB

Download
memory/4648-714-0x0000000001340000-0x00000000013A8000-memory.dmp

Filesize
416KB

Download
memory/6020-1352-0x0000000002580000-0x00000000025E8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads