badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
299s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023583-521.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
1420	F4EA.tmp

Loads dropped DLL 2 IoCs

pid	Process
4344	rundll32.exe
2940	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
84	raw.githubusercontent.com
85	raw.githubusercontent.com
86	raw.githubusercontent.com
87	raw.githubusercontent.com
88	raw.githubusercontent.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\F4EA.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674946243627430"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3880	schtasks.exe
3664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2596	msedge.exe
2596	msedge.exe
912	msedge.exe
912	msedge.exe
4084	identity_helper.exe
4084	identity_helper.exe
2892	msedge.exe
2892	msedge.exe
4344	rundll32.exe
4344	rundll32.exe
4344	rundll32.exe
4344	rundll32.exe
1420	F4EA.tmp
1420	F4EA.tmp
1420	F4EA.tmp
1420	F4EA.tmp
1420	F4EA.tmp
1420	F4EA.tmp
1420	F4EA.tmp
2940	rundll32.exe
2940	rundll32.exe
648	chrome.exe
648	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe
1224	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4344	rundll32.exe
Token: SeDebugPrivilege	4344	rundll32.exe
Token: SeTcbPrivilege	4344	rundll32.exe
Token: SeDebugPrivilege	1420	F4EA.tmp
Token: SeShutdownPrivilege	2940	rundll32.exe
Token: SeDebugPrivilege	2940	rundll32.exe
Token: SeTcbPrivilege	2940	rundll32.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe
Token: SeCreatePagefilePrivilege	648	chrome.exe
Token: SeShutdownPrivilege	648	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
912	msedge.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe
648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2880	912	msedge.exe	84
PID 912 wrote to memory of 2880	912	msedge.exe	84
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 4468	912	msedge.exe	85
PID 912 wrote to memory of 2596	912	msedge.exe	86
PID 912 wrote to memory of 2596	912	msedge.exe	86
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87
PID 912 wrote to memory of 972	912	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc28c346f8,0x7ffc28c34708,0x7ffc28c34718
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,18005575282028522593,15647143089335250023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Users\Admin\Downloads\ransomwares\ransomwares\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\ransomwares\ransomwares\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3708
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4144
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1090940223 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1090940223 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:13:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:13:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3664
- - C:\Windows\F4EA.tmp
    "C:\Windows\F4EA.tmp" \\.\pipe\{3421396B-22A4-4684-8960-28E0831C858A}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420

C:\Users\Admin\Downloads\ransomwares\ransomwares\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\ransomwares\ransomwares\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2296
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc304bcc40,0x7ffc304bcc4c,0x7ffc304bcc58
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1688,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4988,i,4650239040941889821,272992221812097115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
33025d9f734cf6b3da0986e439bbb542

SHA1
f7e1d92936de183bf7d31b2dfc2c05c70ee33b86

SHA256
a23db5730cba3ab6400d5d7497f64bf7791a7a63abf4c32f5a1dbba5eb9682fa

SHA512
ca9596fc6926bd1bbe04f16b598f3257f7d4eab53db4b9dc8735c73dcf634bec197a51c3e00096c93f92aaed140e3a80e7c26084e0d0bd373c6ac864040fef8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e8dbca5a03b5e08f2a78bac693b4f1f5

SHA1
5e642e2d1f4c9bf5f8ea58869da7752e41c3c3c9

SHA256
5061d524c573f95d32aeb0c8835f7dc4308ef6fe09de805d25c4e6bd5ddf7bd3

SHA512
15bd8eb9c766d8c028940110172d6b1a20db144bb7f7b84951410983fd02b77ff4f5c1d2063735178ef72a8618a73a2e1b77af4418fe5e7bbccc172d5bd63b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e55c06cf8a2e29a2eed39708e187aa46

SHA1
cfbc6f5c9b03f7fc03ce4a4abd50f17039a8d7e5

SHA256
a551759450df86c9614c817d3a09dd8bd8238c24b48536abe0cd51aa52bd8300

SHA512
4f6744034f5d288b96c071f6eb5d78c3642a4b266d6aca3be35c76071cd283336cbb89a7e453eb74035c6f213a3b3262ff84e0a9e66768aefaa23b35b28397c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7c6d832b9d6b178cda915d4863656438

SHA1
23c8e38c1a58901f2992423053e51c2b82b52099

SHA256
6901cb3199a18b25aff01b3a0eab5be169c4fcff4d33ab2a26d6605f3c1cd161

SHA512
029f79be1401bdd479ed497a6d61e3f271fe72d1680cec6596379353d4bba1b90155fb23b9a7cf8297b280e429b81e03e1a1ba8a36b12781a52e66a4af8189c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
87694c2ec333001f8b9b4470fbafcbb4

SHA1
4607dfaa6c23565204a5b6d6276977fb015756aa

SHA256
c9bf28885ae4fc886063699c8edf4f941fb49c0041b8b829a18e49431d841e48

SHA512
a36d46de55d5565cacd24492d170f236979e90ec3878da3a6c5b1e917310aad37cfc539af5365e279aef602e0672f02481592713d4f9d3a771be704273714545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
380f7bbe037a61cecd82d79e9f997f93

SHA1
525fc97581c5fd764a289fb909ef9b385220f2a8

SHA256
d7f0c07bb60073c92599066a8c181da85f4d0104c67babcffb471020e7ea168e

SHA512
da6d5f52722154f593f1bf296c6294160d6e9a868429cf6718204ef86ad50c462b7e16f8ae409b31b7ed1804b7759f012876aecd67403329d0a26a2c76a51bb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3f4032d54024858f85acee1faf312f49

SHA1
eb62f6f5e98dbf05d0bd38fb1275365f2dddee05

SHA256
1e3d0bba40faf83ee878fd94fa300e39d7c91626380bc2dbf8fad457a8e558c3

SHA512
dd8291115752cc1f8eb87a25241bf68519a605c5f0da1a1cbe8508649b0f09df9ca72dada255d5b6446b89abc0971d4766a38ef7246f66be44ba3c744032ee89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a589e3774d80eb9267f8b80b9f3e21c5

SHA1
67fd1439fdfe12657f930dcdd87edb2c7e3b1749

SHA256
56788a07a5163eb848bdc3c042b6a5647fa66572c5fcc8b513275bc5aa6b4c2b

SHA512
1c97e41d9beea14a635178ec8a7e945199552a8f3348a9cd57de8bcbd3ae1ad0eb4c08a0163613053ba6accb1a4aefa3a6152fd2010a851943aedb4b228c6c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f4746ba0b21ddfb6f1bfb08365717b15

SHA1
5fa1ee846d1f7025f8b076bdf3084eab4bfd2122

SHA256
70e01019aa10e8ee2ac59af4e74fd53a48716bdd2ada7ff1a119708fb8a24780

SHA512
d7faeb09aa5e6e613e2f99845090d725e38490d17eb9900a85562720c4dec5a839b5b32ee5505e6690275efeb90ce25d876603947b9c515d7ae3c9774a98843c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
89a889792b3c65ccee3d9cce1abb0914

SHA1
6711be7e677761cb23169ab36b7ec814242d8375

SHA256
61286d6f85971286eaed0bd10436622b2343ac8d78ea5b041d01c9c776e8ae07

SHA512
deacb451eb145cfede4f09d4ec727e7909012834f082e9aa24a920f9836c0f472c4e55a9dbc226320cf22640ec3be471bbe8b0a05ea990f962b1bf3c0c8ade2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
93ba5b919ccdb50bd614e554cfc5f8f0

SHA1
103f8ad73e779c1a05a772c41acba9c46568759f

SHA256
4b3c510f89f27b8b41cb20b8429557fd7792dd26ad26826e5432e828248b4557

SHA512
41d8318a5c466782c2bed00edad25574e9add578bac658972b6f6073caeb17faba6f15b45cc763b8e2dac21fa051e2d3d0cdaaaa4be3446cc327f5698f18b250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
9e3eb4e3215b132e5ec71260abc5f4bc

SHA1
f1e966b2827bc4520b158585f1044a2ccbe1305d

SHA256
59ba68336b6920d4c59db975dce6cd1c5a8dd59d652bbc9e0c3af1d0ae8b1bb0

SHA512
4e90be80b51d3ad673cef5e1902be9dbfa08b03f41e688bef5d2f3c9e6ee87f54de7702fe9577788bc947faf00b8c777f275835e763f73f68061e8eb5bb09471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9946db02-2225-4c8c-9861-18382be79ebf.tmp

Filesize
1KB

MD5
8585c3387b2c2547f96563475318979e

SHA1
6825e59862c462372f5bf03e988fd4d2370e948e

SHA256
bf1bb2e54806f1fa0abd4cc30ae05fc9bafabba956552c948618f94509bc18d4

SHA512
0877dd99de750d585d0426e0ffa43053c92c33e2fcac4323cb2533b17cfffbb49ef7a2d5bc20e71eac43eb641d5a3de0b5a92f98c5e875960c169e72e49a02fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ee19784eeddb441f8d68b312dc27849e

SHA1
907e383be2f518dc16a2e15da73986c857c96c4f

SHA256
60e0b73128eb7cfaa41aaaa726e3790acb1b11f7cde11d27cae53ee0b21c2329

SHA512
e071163743fd88fc2a846b1ab8dee008930f11eef81fa291dbf0af4386dfe24516c3b65596b1ac9a14baed7786d6b0dc6df39e48941b433128c3e420a1105a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8b472aff5e47dcf0ab93cbe9692b09e

SHA1
6c9e319a6435f74d91333b68c73dd95593eb45af

SHA256
82a6f5cfee7a2136f6b13853d6c87bbd87531aae04a8bf5c6150c1e49ccb15fd

SHA512
aa508ac825bd329b7b662ec563576719bedd26a84b16ea099eae39196a1eca776d623c83caffe346d45fd845aa3220379b4ce2675758d1870dc00c9d2aa29761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7937b30c13acf4f960a2b02f668b2df

SHA1
ef0cdb9d6e4d67ec93736f1de14cefd79356fe11

SHA256
59b209dbb2db39b7323d4feb0855b236a67e251abd5e10bfeefd239e0d9347fb

SHA512
498e552efe32cad9d068dcf15e46ad527339132eaf8300e6b46a6de87c6bac587647b343afe7309db6e0430a3941bc7c7aaf5f2ae6e1a06a00d0039b757bada0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6660de22190230e74bb37ff049cc79fc

SHA1
eacc866381ab4f8bdf1fd4a1517e2bcd427c9204

SHA256
b3770696ded89fc11b87dc459e020dc81b3f211fef72fc01b105cc754b9b91ca

SHA512
061924f8ec7c3ca08aa77f57c5c3a5d49ac3a4d4d9c110fc4ea77642f454fa6fa230c3bd217a4b18e64867eb4302b495bb8049e50e039e1d8bb6b36ed1b43d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4cc926101d0a329c22725df15f06ba05

SHA1
d8cdb28e0a64d6825a68ac8b15cb6b6f7f3a6dfc

SHA256
eecce100587c2e3afe37f4a82b4d9b17adc327c6187dba82e3164ac0f36e7a9f

SHA512
b7dbfc06db4dc195cc703798da7097aac9d47ad55551301d08b3aae6347061caf16cb51fa280d0aaff9328da9ea40613e35602f98a31887b272ae3234d3759dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2580b08f071c24fd07d9da393b35f49

SHA1
e54802369c8af02ce875d831dfb54aa529595f3d

SHA256
eaec7819debc80d32143a2c87a04754237613a785c442cbb5404c62eb77e2b3b

SHA512
bda962949656a8cf38b9d3230bda5cfdef85f2d6245a58fa7c372303039abdc66967123eec9d92e3fdb45791809308a79b21635249b12acbaaa6ad4893dcd958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1196081681d79663ba1136e4e86e71a5

SHA1
076d807938d49850eed52356a63bf861ebd096c7

SHA256
8ecac7a884ada9e00045636917a036d8c0e72d427e92cbfcbb784422db7f4b93

SHA512
e6bf58795003bac5c106d78147de0018434c1af452318fc4e6bcb1080f857f6cd2857400c385fef7786e5b66662167a63e733a3ca64c7016123f12d783a66b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea8f.TMP

Filesize
1KB

MD5
a78f9c680170e864d56f66a4f435cf90

SHA1
975e6fa09681b7e62b40dbb3307c82bdeeb1f058

SHA256
6ae26d64dcf547dad3a29eee771503b3e3fb8d24b5ec31b5f6a2412641e2a7f1

SHA512
6df2bbe08ff89c4faab82594a4b5648bdce2bd3babb68ac08d3d972b6eca2682a77741eb239daa12d83b979ff29b67ce99afc21dd4788273e41a23f2e39ebd22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92d377b309aa0b33e6143f8f19b51a9d

SHA1
2dbc1b87a76935a0710930060eaf4582146a385a

SHA256
4df0629b7c36bbefed7e99650a19947569e8be175c24aa283e39379a7bf08502

SHA512
b35aeee548b8b7fd80c59f0908619f6fa37483931d460d16fdaad7f7f1f8e7573d0cc31d9bbe0cd19b904d8a0ee1a6024eaa05c05e05a88c13ec2a8d440147f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4eee9843ce23665f3ba7e6ee1cb4a3bc

SHA1
39b11cc19d1874d216df202b78810fba2939fc91

SHA256
87b0617d07d47615f90a8c59ed053e1a51a27c5db16369f80fec4cbc2a2c029b

SHA512
2dde95154bf3f2664b0a2746853d8d7f325b757075f050886fe923fd7a0d8ba2ec5197f7deea8caae7d6ce2092b5102ed57da26d93f59a76de191483aff23080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c6fec4efb03bbf3840d18919abed8c2f

SHA1
801f8f6752f1b4b773fd0dfeb646249c7254a0cc

SHA256
7b1b87aef8bc478bba6f1233b7acee38b6ffd91c10216338806a21ffe22870da

SHA512
1ed771d876c10c7e4533e3e76ba8188727c79557e6a61b1f2761ea1ed3245f24ec4484e423e908d1dec91fcb6b43e52d852f0a642535500c8a73c0e22b195398

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\ransomwares.zip

Filesize
7.6MB

MD5
4c115163b0236511183822446e53ae05

SHA1
8595d9cdff069e7eb4bbf8fa6d402ce714d3618d

SHA256
7d8cb36232e2bd8d27a6dd7da3639c033e9adf8b97307f1983871cf956a79098

SHA512
0c2d4030b3e7160519cd26e679c6a36aff2d964c5e0adf33fa9b4d0e198d0b821d5214748fb3e08faaf32c85e8ec82049765c5c0612a8bb91ee627c329e1d444

Download Submit
C:\Windows\F4EA.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2940-545-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/2940-552-0x0000000000D50000-0x0000000000DB8000-memory.dmp

Filesize
416KB

Download
memory/4344-504-0x0000000002A60000-0x0000000002AC8000-memory.dmp

Filesize
416KB

Download
memory/4344-512-0x0000000002A60000-0x0000000002AC8000-memory.dmp

Filesize
416KB

Download
memory/4344-515-0x0000000002A60000-0x0000000002AC8000-memory.dmp

Filesize
416KB

Download