badrabbit | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002364e-501.dat	mimikatz

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5912	BadRabbit.exe
6004	BadRabbit.exe
5168	8C0E.tmp
5248	Birele.exe
5636	Birele.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Birele.exe

Loads dropped DLL 2 IoCs

pid	Process
6068	rundll32.exe
6064	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002362e-559.dat	upx
behavioral2/memory/5248-578-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/5248-579-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/5636-591-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/5248-632-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/5636-641-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
117	raw.githubusercontent.com
118	raw.githubusercontent.com

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\8C0E.tmp	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5468	taskkill.exe
6096	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{54E8A415-3CD2-4439-B65C-C2857187D8E7}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 587358.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534697.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5256	schtasks.exe
816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3548	msedge.exe
3548	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
2512	identity_helper.exe
2512	identity_helper.exe
5368	msedge.exe
5368	msedge.exe
5464	msedge.exe
5464	msedge.exe
6064	rundll32.exe
6064	rundll32.exe
6068	rundll32.exe
6068	rundll32.exe
6064	rundll32.exe
6064	rundll32.exe
5168	8C0E.tmp
5168	8C0E.tmp
5168	8C0E.tmp
5168	8C0E.tmp
5168	8C0E.tmp
5168	8C0E.tmp
5168	8C0E.tmp
4220	msedge.exe
4220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	6068	rundll32.exe
Token: SeShutdownPrivilege	6064	rundll32.exe
Token: SeDebugPrivilege	6064	rundll32.exe
Token: SeTcbPrivilege	6064	rundll32.exe
Token: SeDebugPrivilege	6068	rundll32.exe
Token: SeTcbPrivilege	6068	rundll32.exe
Token: SeDebugPrivilege	5168	8C0E.tmp
Token: SeDebugPrivilege	5468	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5020	dl2.exe
4752	dl2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4060	4576	msedge.exe	97
PID 4576 wrote to memory of 4060	4576	msedge.exe	97
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 4288	4576	msedge.exe	98
PID 4576 wrote to memory of 3548	4576	msedge.exe	99
PID 4576 wrote to memory of 3548	4576	msedge.exe	99
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100
PID 4576 wrote to memory of 1736	4576	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {533EA750-E47D-4A79-98CB-9B8C3E9DFA22}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8faf046f8,0x7ff8faf04708,0x7ff8faf04718
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6064
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3943402871 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5344
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3943402871 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:28:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:28:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:816
  - - C:\Windows\8C0E.tmp
      "C:\Windows\8C0E.tmp" \\.\pipe\{3FCD4833-B7F0-4346-BB5C-4C118C31A6CC}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5168
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:6004
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,16441782617030575138,10279494725897255105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5468
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8497c9e1-6846-45fd-aa3e-fd9749832033.tmp

Filesize
7KB

MD5
8eb1820f128efb55e3f290286814a411

SHA1
426ba5fdd01cdd2e7e57881459ac0ce4e49a0438

SHA256
e6471aafc9f17580a49f61c6b1c6ee10fe4d765ab2f931fc5fc0e30561a18b69

SHA512
ccc5d5bd5d08247c4bddffcf6ed4d1538405e62f42491909ceff224dcb9e6e17ad5b2f247157fc0524bc9dd7b2f693e907c0466468ddc83cf19dcfeda1852f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
786d740e3b2fbc182054a21d28e1b54a

SHA1
b2088cd156c158a56b0b17708c013e21029281f2

SHA256
e6b95837641652a629a79ee9a3cd1abdc3ff2db2c63d4dd9b0e00df555f9432a

SHA512
caa50348961089808bfa304d071ecbc5d642263aaa01a79a573d342e85cde1fbea3784490d0e0025a6f63b81200a9964440fa40bddd854cedb2977d88ed1a8c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
a6c61cfbbeeacc5ddebf111ae00200de

SHA1
bf8133733d9ebf5e8c730b4c83ddcd660175b18d

SHA256
b1d00cb03a56175fd0091996372f3c7e0a139112fd31cbb377a9328c57e82aed

SHA512
a7c7a08d433196b5c44656fd5f129aee9353f0be0dc47ac2dde7f41125f3a9ece194c20cb36ec2e3fca91d92cf193ca8d6871105092283d7d5bca4bc4dec3835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2301e40cd1aebe514c199ba905de138f

SHA1
bb785a88c1ee24d9367d4bd3f62d6843d9fc4ed2

SHA256
7290ec4baa432b85889e0e1817f777414eb3aec45a7c27ea4422c5e72a196ac4

SHA512
56cec2fabce732bf3023bb5b5d509e160c46e896d477b163b3db2867e6c8353ef55225a2c33fba49cdc1ce3d2649f06e69fa01b53434c1cb59946d40f7ef7a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ddf78529aa65479624d45e22ca7ca08c

SHA1
37b891cdd1b7fb4dd5a9fd815b1c8cad696cbcef

SHA256
0b443d132843127463d29e080607fb4344d0e3259bc770446c0d5692bad0e696

SHA512
974d2b99f1949d46276839b3e947d5a89dbd635903b92f786bdc9c5927443e871a0702ed8ebe60593a6c07a91a10eec15c938c899c3ecb8d0f84fff1db4c132d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1103c44d61ecb5373808792f763ff628

SHA1
1d873c9e73953d346302bdf9462d4d7ecb3a48aa

SHA256
fa1e5e1b32e040af14b902c39b42dfd1669fe197a5c3f867b083ae21b29788cf

SHA512
12986e6c64af4311e2053b9d07c99b98b575ffc5e50a0b5658b0ce03cbbd33438401b383705344b5e3b4824aaba2b6d9b9df33a2405dd1a3d8e67e32020fef68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a03d714f87b20f0f5edd2476e2048c72

SHA1
0405c75385a49a9974f01fa0aba2ed22df1adb75

SHA256
5a044802151fc52a9a2cb3c861e2b49c136d799da2f9089d18e79bcaaf403d9b

SHA512
f15289966c87cba76b1398172ce7b27e6de0e2ecd255ff16693187a584754a4cfcb3d64b2296357bd358ddae37e27a6b7b5174aaa0d05fe94a3a9d128d628156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d46018618ac20beeb8d48517de5b3852

SHA1
493ba5fc0ba850c4bdb4438f2b166ab27e8c5152

SHA256
495b5ee25e23f1dd8c6a18475055202f8762f7fb4c476ebd20edd9bfd0cb4309

SHA512
32fc699c289c4ef605c50fcfa1aad6db00bc33c00562863782c599d4b5256a5605c4e46e6e348fddba4c06bb94a3f617c8e7f5c3f64afee6e0c6a6c97136b099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e689469675b599a2c0a39d9c865aee6

SHA1
19f564462e20efc688301f6a9b5c90089867b7e8

SHA256
2dcb30f4f56115688ba9109739635ec5ac5f755822920cdb509817ecedc1b160

SHA512
9c96590266a6e62387328e79a3e6935688e9f0c67470dcf519eca184110bee43e7e3ab72d3e0e210df75fd663b01c5c36fe349400f5d1a9c510e670c6ebbb7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5868e6.TMP

Filesize
1KB

MD5
36ec170131e44117b4a86f08a349afbf

SHA1
20c1e895fef229c3b04c02a2ab73fae4c36642a5

SHA256
20a794403692902da54667b9140afef8cb56d85ed358003e60cd149e2ec7884e

SHA512
60380cbe3b8ccb6ce6d5e67c41b921f5eeb8cd3c7937ae13c04e99097f5314b409632a36146002a78259ec920b5b3063fec834e0a0df5ca0471f017053373d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f46b81d6186dc0748f8858b867be863

SHA1
2f6ffdf42894ce9e71c4640a701ac66feae61013

SHA256
ffb812d62ff034e7d2461823777243e0a302a15c9b8fae80774bf7db633171e3

SHA512
779269b7eead299e1d47585bd9763a930af82fc75920ec7c80f36a0d58fe7ea98239132e8ef054594afdaf492d286ca6c45ea502b9e4c199abe0bcef821ab4af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
28911e8cebbce1af5091599b8ab25cc1

SHA1
6fc5b6897ca9d3fb36db7c0c08394a9f938c0539

SHA256
659c9acf07944b5996bcaf6676094654a46ff55639e2de01f36fe47165eca9e6

SHA512
c5785225733072e566b9a601ac913685f0c81f354e8cd67c8fa0a01c310f289f195eee9812d3debf428a039aa8fb965d0fbe17f9f215ba6a39b40926994afabb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 534697.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 587358.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\8C0E.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/4752-17-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4752-10-0x0000000002110000-0x0000000002140000-memory.dmp

Filesize
192KB

Download
memory/5020-8-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/5020-1-0x0000000002100000-0x0000000002130000-memory.dmp

Filesize
192KB

Download
memory/5020-350-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/5248-579-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5248-632-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5248-578-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5636-591-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5636-641-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6064-491-0x0000000002B90000-0x0000000002BF8000-memory.dmp

Filesize
416KB

Download
memory/6064-495-0x0000000002B90000-0x0000000002BF8000-memory.dmp

Filesize
416KB

Download
memory/6064-484-0x0000000002B90000-0x0000000002BF8000-memory.dmp

Filesize
416KB

Download
memory/6068-477-0x0000000002000000-0x0000000002068000-memory.dmp

Filesize
416KB

Download
memory/6068-493-0x0000000002000000-0x0000000002068000-memory.dmp

Filesize
416KB

Download