badrabbit | hxxps://github[.]com/win2007/MalwareDatabase-1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/win2007/MalwareDatabase-1

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023591-390.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
4892	8066.tmp

Loads dropped DLL 6 IoCs

pid	Process
1968	rundll32.exe
1464	rundll32.exe
2884	rundll32.exe
4924	rundll32.exe
1456	rundll32.exe
3476	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
63	raw.githubusercontent.com
64	raw.githubusercontent.com
168	raw.githubusercontent.com
180	raw.githubusercontent.com

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\8066.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2608	msedge.exe
2608	msedge.exe
2596	msedge.exe
2596	msedge.exe
2744	identity_helper.exe
2744	identity_helper.exe
4752	msedge.exe
4752	msedge.exe
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
4892	8066.tmp
4892	8066.tmp
4892	8066.tmp
4892	8066.tmp
4892	8066.tmp
4892	8066.tmp
4892	8066.tmp
1464	rundll32.exe
1464	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
4924	rundll32.exe
4924	rundll32.exe
1456	rundll32.exe
1456	rundll32.exe
3476	rundll32.exe
3476	rundll32.exe
4092	msedge.exe
4092	msedge.exe
2044	msedge.exe
2044	msedge.exe
3548	identity_helper.exe
3548	identity_helper.exe
460	msedge.exe
460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	rundll32.exe
Token: SeDebugPrivilege	1968	rundll32.exe
Token: SeTcbPrivilege	1968	rundll32.exe
Token: SeDebugPrivilege	4892	8066.tmp
Token: SeShutdownPrivilege	1464	rundll32.exe
Token: SeDebugPrivilege	1464	rundll32.exe
Token: SeTcbPrivilege	1464	rundll32.exe
Token: SeShutdownPrivilege	2884	rundll32.exe
Token: SeDebugPrivilege	2884	rundll32.exe
Token: SeTcbPrivilege	2884	rundll32.exe
Token: SeShutdownPrivilege	4924	rundll32.exe
Token: SeDebugPrivilege	4924	rundll32.exe
Token: SeTcbPrivilege	4924	rundll32.exe
Token: SeShutdownPrivilege	1456	rundll32.exe
Token: SeDebugPrivilege	1456	rundll32.exe
Token: SeTcbPrivilege	1456	rundll32.exe
Token: SeShutdownPrivilege	3476	rundll32.exe
Token: SeDebugPrivilege	3476	rundll32.exe
Token: SeTcbPrivilege	3476	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3960	2596	msedge.exe	82
PID 2596 wrote to memory of 3960	2596	msedge.exe	82
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 4392	2596	msedge.exe	84
PID 2596 wrote to memory of 2608	2596	msedge.exe	85
PID 2596 wrote to memory of 2608	2596	msedge.exe	85
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86
PID 2596 wrote to memory of 4172	2596	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/win2007/MalwareDatabase-1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0a3046f8,0x7ffa0a304708,0x7ffa0a304718
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16915812068162401400,160969899683006656,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4612
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1770308591 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1770308591 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:04:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:736
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:04:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1088
- - C:\Windows\8066.tmp
    "C:\Windows\8066.tmp" \\.\pipe\{85F42875-741C-48F5-9B10-DFCCAF9D1FC5}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4892

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3644
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4080
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3628
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3952
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4828
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa0a3046f8,0x7ffa0a304708,0x7ffa0a304718
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3671107808775323367,17557420898553903238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x304
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c93b0e594dec7aa323f1cd418350e7a2

SHA1
dfe1b99aff22e57adf971e58593662cf672278e5

SHA256
23206fcb0c299cc11059f9a5ab79adcc4d27ddeb7c5e7243e1607b5e02e7ce0b

SHA512
84d3b08a488299045b8f1b03d7686771b5dc76cc7fab2b897cad4d04a3924b1ce1f84434677aa474500854d14ca96bc8a19bb6f6ee93d126ec7b5f37d1be99e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a72b37caa9b4f6636ae71781811eb92

SHA1
11c8c02de873368c2f644969c3416e6d23bdb249

SHA256
f2e2971c7afdd67f8895a9e49980b2e9ddcc640a93a9f7baa4707d8632cd371f

SHA512
c6336508a0f2dd4d3e2fe892000e6cdca3b57edb63da522bf03915d8d50b49f84263c57b7e05934984b85b067a92c3f13debc82f23453cf504a98afdad629140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
ffdab8acf977972ac94a53c3ccdab4fb

SHA1
bf9a168536b732834769092db311334fd35a4481

SHA256
27829086b09760f7a41e64f8d0d0e9f8aef0378e74ee1ce9990e5381709bd480

SHA512
44ba578812451d46ff9bc5340a2b7dbae5d6f1ae5a65930c416c885985741fb59564fc391d54136e60bdc9954cab746caab678ed2c9b4040eb9483d22233abc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
6799bee5565fc03aa23517013c6bb4fe

SHA1
310c661818458779d8581b957c78153491e44a00

SHA256
8dc3b00610b51ba474d91065c2d490018673adbd2f4383def3631591747a77f7

SHA512
3fba96bd529dd3492edc24d370f5f95fecc1a72fca3adf55229e4ea3b805ab5b0119d09406ed2f6f46e8f1aaae2b758c9928d54728ea8a3aab0a3edd4cedc485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
b7b9638b81fbc2f9d4ac78f6cec3bcbc

SHA1
5077e932a56073e25da495d6adf635a30c82e0dc

SHA256
55d3d94c49aaf88cb3dc4720bd93968b3e7b31862237af1956971036ec4565c7

SHA512
c1076bbac93f5bde9626e5656eaa25a9c3adade26807c3c10ec8b7cb5afa81e0cf7c7c6ab51252eb218722634bc9d0b21caf36a794fdf1f02c8d9c3910e5e690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
b73a56478d9833ae676b4c16da364fb8

SHA1
f45d443dca5a6658278ab724b579112a4ca70a46

SHA256
600e38986394e9029fc5b4b8e846c43e2d9703c0c6b87439db4333da5b2dfeb1

SHA512
dbbfdf6d62ec19428dee3454de2a00e28ac568fa79f8c3f7865c0d4168c6211ae8c01e635980657abd6b503a965057ee8f02277748b76de92594a4d7de1d0cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7c1b4c5d35ca899189cb83eebf632769

SHA1
25633c875bd1b9b0f52c71246d86ecac1583db6d

SHA256
82fa6ea33dbc25e962990e4dca81ee4b6725873ba911b03b5636335f7b4c3215

SHA512
3367f4e9b4ac28f780ed9417e705acbb45aa18d05c6608cad8775d2b612b29f23e70877fa6727b3a372c9da97922e8e52c2cf9a90115806cfdeddb24c598be76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
40c147f7848835050587b574c8b1e073

SHA1
a6130e7a1074996a483eb1cb036050acfb82a08b

SHA256
fd8e0464db1608d1dad36fbc6ec9a09153192a2dc56d80fdaa22af5859dce200

SHA512
7cfd02b08c24bc9e824b8e50f90268a51b6000cf580ca41fb6a350b8b149095528997d352c1c515bd684c53d50ed1a187fa30e345ba9f07230ff583392f213dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
2850050f0355363ddbfcbed59056ec24

SHA1
f91ed1a51bc49fa4a882ea26b0f1c5eb0c33f01c

SHA256
d123600cd3581f1496d4a04ea87109f5475272500c09918d2e03bdc5c6fa7d5b

SHA512
89729ffc5ecb068fa22affb1cd6f1e3c7d8fb390ae9100036c6056eb0c47fa10a031ddb060c97309d5f0159f321028fb98b805fdd53e7165f735196ba3c5b943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
411abb86ec816ee3bc2cff4e67fd225f

SHA1
f35e9d00393039bfe49b8ccda116cf4866db9ec5

SHA256
605042f6e4ca13e1301412f2ac77da46d8568ecebb07cda9bf22c0c88c14feb2

SHA512
d833947104bec0e081b023d8b7d2e581bd05deb7d0975e360397f2330f6f9e5ba79a71bf4694430fa803d390d12e6bfa4a74de55fa241cd27e068fc5fd84b7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
ab3f1dfe78b74fdbf8808fc133bda2bb

SHA1
f8f9f077c51088476c5045c0d888dff4b5859d02

SHA256
efde7b5366676bab69002eb48927078d8f10d6ec0bbc72f69135d413419044d4

SHA512
ba056d95bee401f0f65809f70614c54b8492523c6ec8f30451aca0efd6346306440eb2bcdbe9d1b0d5fd16fc6312c5e1853973a8365812fb516b1874e62c7188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b963990d7b620809bd20660433b9e322

SHA1
6bdd5e464961e30d52c5ccb375048264b8bf0d20

SHA256
e306e4b9ca3c0ed162d097ae5fe06c4cf4004a852841d6a49664499a8148a2b0

SHA512
ac4e5769a52dcbe20960a9034bc62ac885b2ae55dead03141c94bc60daf69484b70c300909b0f2bf4192588aca4f6b7a54ee41f5b1b7bc16083eda7762e41b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
49312534415d66505da15fb50613c41d

SHA1
c2061ba1a62e0cddccde9a64756dcaa54ebf6a92

SHA256
a5c4e98ad1e44a501d3af083a2c486d120d61a7f8cc962d331dc7f5c4aebfc5d

SHA512
6b9d1bdb67b31ca87438cdbda8acd7f43f3be81779da61758a6bcd1c7cb1bb5699db95452ba0bbabe554b155cd2ff05e84ea36923994e0c1e6a1291f5d0e39fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
16KB

MD5
61c15e7df34cb0700ffb1ad0a1e72c0f

SHA1
660d0279674896d86de7abde81ee6dad6fbfe148

SHA256
43b17b09236f7bf4fcc2128bbf36424d53419e02d24984993969df06d1dbe6e3

SHA512
128aaa9247c04fea8a433820065540fba6bb710c391b8dbeee6f469abb3efcdb539ee678f8346dde1936c2c6add203c0cd3c4df5fc6a541bd27d2d654f4735fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c0a8ebfd4e2d2098b16677d3bf06558e

SHA1
7d95c7364b76489420909d4b68a966453f30172a

SHA256
ae05687d356e32e3d8edbd3482bdabad18fb4d6fcd00cb5a7b210f4c19cf524c

SHA512
971629027b8ea8d8516bf33701a798fcda0cacf109ce35b07c80011fd88331c76858cdd7a987abfe5a51c6d740f86820146a856e6e82ef436e81f14ecc1fff7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d8aad55bc3a3e1c7dfafd18d028bcf8c

SHA1
baa6eb8c2b8b1f77e6d40bf258c7c4f569e2c7c0

SHA256
b6b8fb43dae50eda49230ff9e0d32747215db961f076e1997b60d172c948756e

SHA512
672e45342a279d6545313b27abe5a061dcbabef4bb3cb4c376d610c4d43889275c538edeefc0e1739c3241a5cc685844f74444b54d6d046d5105c2731271dbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
778b50a1de24152a24b2f1c3f388399f

SHA1
73f2fea561218a73d8e47c9da3b5f55deacdb17b

SHA256
f4bcb96d3890a6d90933dac0705c3661645323f77de03dc3732d380466d7f5cc

SHA512
b028f5ef5717ab1cad5abaca571b9699b6566d513c67976b0f859b29ed936a5b732808837003245a8319ff29c0458a8a29bbb5ba1eea6dcb693f8dd9450c1b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5288cbe8ce2940e86cfc907e91f95b34

SHA1
a1fda535c1c9c373cc4e08acb958aeb33c51bb50

SHA256
73c0566f7dd08271f3f17afaaf49cc5cb7d206123788aea7139738e4c2909851

SHA512
8369f321369592c6c53894b0369d4a0e734c000c1a9f7becc5a92a98e76a48536c1e0cf90219161b35144e8bca2bd006788d846fe34e4f9e2a3a30501c72bdaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b16ee1d33c7c9cc35191acbb687b74a4

SHA1
19138fa85aac311098930a76e4371030bb596bc2

SHA256
bd4077fc7b09c3e84acb94af59f8398ab867e51905d81145e0c566bdfa447147

SHA512
f60f161091d8ebe1709d520b71c0238f29a2fadec81a5656bcc62c48453a2532a0966f26a5357a0859030bf3a62f4cce59a5ef417f1b329b0a75dd63d268b4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d0c392c4202af8bec84d4ecb3e09a75

SHA1
514cc16b21e6707bb672a5d815443e21e3f0d536

SHA256
ddbec0b1a328d0ff2a9f3eb6a0e24e7f1b9fdb7f55f3786b042dfb6820a08712

SHA512
056c372ba56d5236422d216ce59654741ed71fd7292a434681be43674f2062ab132503d2a42b1144e62f39254a7aa1eb2f80bdc17937cecf11a7b1551e961c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea0fb5499765da3011e6e392906f8ef3

SHA1
d942fdd597cad4a9cc006858d16338164e3ff4c5

SHA256
93120420147cbc77f181d079272c0c74d0c8550c31f9c5ffc62fd49cc933043c

SHA512
668e6631f30b9537755679e3a7f6cd9ce0eb5468ed0536ffad1c98ecfb7493f3636e87306e03b52c147cb8456dafd6b98002e354c003044d88db4100025b34e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d52e109b7ef3133fe85c7f2c56a4d2c

SHA1
155751249e40dc23647441cc28b518e38af8a670

SHA256
207931a70c32c5c12ec5881f3be15e435c782781d1e227e8368409d64b8bbac4

SHA512
efffacd565d22cf7e185c6d4be75631a47ef9ef1febc87b387df0b85b65e0bde822a49dc2c065700e1274925d60330af81fdabaf5d526a0509bca1b3bfaf6dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9476ab42a21ad70f996afda6a12b2d0

SHA1
9713a8019e6ca47946aac0de519036dcbcf1e4ea

SHA256
f9b273f710a317f8b08315ba53024bda4fb3831c66f3f5d92dec65303245a3a0

SHA512
1f8079a679163a1a27a5324c80b7207aba36d4e37234d227e98822168ee0641335f284d3ab53ce0668571ef81c0c7ec1572cb82f0b9924f8b1fd81abedb2ce14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24cec12cf90eb846f5610a5752e19822

SHA1
bc9f8aeeb656310fa2e59ffa866696f5e2a86c9e

SHA256
96ad4328d43335a1644c1712d8ae58622040de922f254c0752e7d682100da8a4

SHA512
79f6af6afcc7b0436debd75469abcc1ce493d76a19f220ecb84178307b82938b398320e9a2c00c250329ddbe7b3b8237bda0802704415a085838c2d81696e21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
3f1d68d0aa89208a5ce5f2477b011f23

SHA1
5ca6c680e8140649d7f881371b904da43a3cb2e7

SHA256
b9382579a75fd2f4e0b3c91a6910bdd413266f787bf9fd5230a1dac81ab3d636

SHA512
3cac3f4809b21921bced3ee6903dddf9ea5b76d2c3840de2304835de7c20c7eec0f17d14b2747c0c4a50b55870486b33e2fe3e569a79dd067e19edfbeedc039d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
f405760b484055e1a3238ed3eb110771

SHA1
3fb8290355d7cffb5f945751679942128e77ae0a

SHA256
03ce6d8bbf5327d41d7435c3da1c92c7bc4c814091a5e1e83f8754b712e7edd8

SHA512
acdb602ff2fbb0075f5cbca0409280f5424eda03f2fb691799fa8e32550fa8a7dc91879392c83f4f3869f30a43bd0ea33b112ae62e06355577656efddd9255da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13372382736241964

Filesize
7KB

MD5
ed3d190e71898807dc015847da20abd1

SHA1
aa8b2fc48a86499626e192d0f6d4acedab1f4240

SHA256
c30ca08b453d4d6acac5921b008895999694f4f61f0ed03bc0844dc01d55a1e6

SHA512
d545736e347d2f2b10674de3560854d4a69c51f411ea3bf035439e6cc7a33e8c66498c1fca50f95d9165457e7350fc68024353dbc60a427e55b645da978c1856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
9558a806cc89601b2968a08b3b19db17

SHA1
21f0c74868a5f3217c11f0dd8d1132d1ea867226

SHA256
b636e1c0e621c44f11fd05c66f94c445f5e0b74e68939bf797522804812a7731

SHA512
263aeb313c9795100ba19f5efcc798d45af13cf065bbec1680c149bab7e5dbc96f14e78da9eed7b86d25ac177431a3d225ed748adec0d63d6e28b5912b3cfc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
4c6efc5ff7b484f5ad2b111e8d49f646

SHA1
2fd42482c6a4eb0c635304af393394ca7d91ab8f

SHA256
ee1036fbd6526e12374dc1871f70bbf64fa77b1302374506b864e6e8d406c4c4

SHA512
5c9f5a5bad23520b6a9c06d3380e8c7b3b0bcf1cd0c8aabe0ebd0f5b9857188cb63c02ec1e0e35956f56e4204e40adb7e03803779c47f3db3e938041c2f3a736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
85312c95bccaa8b36b9752e530a98273

SHA1
5b90d270c0816da8250c537c6da2233464d86438

SHA256
45139b2c541991c3c3599658b4542e56aa1ff97ebd036e6870df4ac7777f2e4e

SHA512
e821111e9ece136f668da3b356e097cad9134cdee115f01c9a3df6d710c2b7b1800545856517177d3f3bfe138cefa2fa7792e6dfc60cae48c6f33760308a2908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3fed8c0fe9894dd1513376f136319d51

SHA1
5a41140ad2401d6dfc2e834c96a0e65cb0455b00

SHA256
9f98fb16710dab2bfed1564cf5eedaf0dff803e5a0485084120854af7e1ddcd3

SHA512
dbc03fba934fc58881a5a99b9b7b9cd20633896bfa5d03c65620ece5121dd510295d456be4a668b946d4a302085ca4a60fadc932356e06ba45aec64d70c94a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4a1b64f9a3413884ce587967d301fd0b

SHA1
96ac86389f963704dd71178c3e671a499b8e527f

SHA256
1b51e765b048257d4890b7a0ec0ee9e2e3b225399ec996e6d8afedad9d433c50

SHA512
85eead6ad1aff12cd8fb166aca0ca92a9e76e2d5100290a21c18184936fdc1bedd08ddb42f29e633691dc3e91bba1585c8df5ce5b98e4430b6aed21ad4d3d03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7dfa1b797344f64b1b4bfedd191ac75a

SHA1
83ae5be4e2e9819b3a86eae10ccc91f32623c532

SHA256
53e315a6ab0c6b8d684e4eb4dec7349d01de97da628f7560a963f5d7c67400ac

SHA512
1c9377ffe635e86a53c1b364687332645e70639ffe47551112b2cc93ccf456f873100c4bab9eb9da0dd7f15c037ddf7983fc2b117ea6bf3421645630e20c2685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf059b91cfaa3282206d56074514fc7f

SHA1
25aaa51dda7178b931ae81b6ac575e94cbe227f9

SHA256
2aee1ebb1b356acc54e2d643593025cf0d8fbdab3d683585707bbaf4b719db51

SHA512
c6094eadbf1c865f5878d0f8ee181739322837109367b3f5209bf9373efbf73300ce4ebc7d538167350f30aedd34a4f490d6615400beeee3438eadd1290a7d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61f6cdb6ea6783971caacdd82e876094

SHA1
8bc170ec895e4207470911ee78de2984892cf599

SHA256
f58c21edfd3b2aa8b85b5d21557c34fe4325fab87c18913ad7603c14f1cb6fe9

SHA512
637dae5676870291eb36f42bc543c73f99d03b7728a9ff81af2716f57b26b805b71053e20bad35630727312d94bce64cea21212764edc2f348d9b70e2e0dd562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581151.TMP

Filesize
874B

MD5
71e53a992a97af1dcf5b0e83fc8ed030

SHA1
8e419c64b1dbcb6d52a8a40ca40cc1d074029577

SHA256
9b4cc164618d311281fe930efc85a41afc6672f4789b5b65144f78452e565d07

SHA512
9bc44d11ebc9280d80dda933ca529a0163a7627225d94c507ace694bf135df697c2534ca4149a3432e98c98012712436598c7aa0272ebea01fec7153fed9b386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
8987d426f5c579978529802b4735d38f

SHA1
276d5a804618860129041cade2ca79e672e0e117

SHA256
6191ca9b93c95437fa7808f7aa83cac6aeab133fb46119060cbd588ff896ca5a

SHA512
bee48dc2725f95f8c0c6ddf01b4a284fe5612fe5ec5d96bf2977b7a973e3450b425ed6896aca397e08b0743650652e54627a7b372e5077814a360723ee693e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
feed93abf9b7ce42c5e4adb75388268d

SHA1
ff13a80b45ab093f2afd975f6003e3ff56f650c6

SHA256
c797e4de610ad21c6b6280f4bd2ef082d643f796fa863a5184201a304e03ffdb

SHA512
edd11dc1eaa9ee857c3282af95107a554ac7e3f2950fd7604773112650edd9f3d2f2952a805c6aa1654db64ae2bb8d20abd8be4a14e1e0df00e52232b6aa3c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
0b2a579d8adbd398aa88c0d3b705d882

SHA1
c134c8bfc1d7c4088bcc2300ff49d0ca4e6be65e

SHA256
7c498a897c3e708fc478a2e7fb699ddd8c024738c8b29381b9f45c1433cd8fa3

SHA512
ea333a7f218e7540d4aeda1e6728ab48781310d526d3398e1f3b56fe94707f3652f0c317c67d08a5f1db7a984e6ed0aa3c499822393e5b422ebbc3097ba3dbb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
333fc8d365d510472c25c928f9266501

SHA1
f68e282dc284552e44a87063f533bfd4e737b52a

SHA256
262ff137fae38d07c21beaff778cd8a465c2b660d50b0feb380cf6e23b3a9ef4

SHA512
f0db81a3217608254a379068e65ac4af6a494be8aed38c3439955b3b36c28cc82d3a3f97f58c490fc30aa688ae6c4a95c70ad247757f93f0cfe954225a6e7505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
99d340ea0cfdf51f1476cfc6c29f4b46

SHA1
de821cd60a3de8679d7949f7192b2c32eade8552

SHA256
e9734e4f220bfe396c82d296388ce9395f7e8045cbe09e4ed449ebee2cffa94f

SHA512
5255117b81f585e2d5bb5ad4ae5b6fdb7e5a05f366dd04bf3dd4640a9f3776a0fb9a2b6eb67d50b4613f8523fa86219125b07f6e7acf11823b89c38693737a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
870632ddd9e9ba00b2a6c7ac03cfef82

SHA1
355a4e71821354b975c832bb7625c57d7893fd76

SHA256
489c584bb89d29796e6e75987807e2d5121d6735182c7097c5ae92e9e34eced9

SHA512
9a0c88ce5fbbf2e93c385c68d2b4852672722bb1f99d2279925a699e39b95a04e89982c185b967bf17d08e40a17011014bd71e09e643fbe8232993703be73d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
5ae6427aafd92afe165911758dfd7a14

SHA1
fdfbce4bfd269dca0a669cfdad81097dea5f439e

SHA256
35fdb79c843cba0e22f3fcd9975aa9097891f817152fae0eec0779918d69210c

SHA512
3adf6087041f40f759b7a7819048cdab86ac6767fdea96e3a1859266569c766723b7b7c123ff49a6ac0926a0df80207028fe7aba386d8a852d8496f830e3ba49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
989e21c95e371da524c05696fd71e174

SHA1
f7117d9681cf37bc7857f064e2371ff3085f6542

SHA256
6f77071b21b0b4c10fd8007a128695c9675e45fdf7339c2c3a96d84f5390d6e7

SHA512
2b0f0bcd5d88099233d255ad6fd22c5507cf8666559ccfbe145fce1d89f2808154f58ea4a21218a2d50bb78db4ae2b112c4ae7ea468493c0580792146fffad91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
52620ad488be3e00aabfc5f666263670

SHA1
0e2ae3d932fe89a3b8a85ef6a015636b3123a92b

SHA256
5ae2e18b0a2e9d6469b4d9ad26fd5dfa3bcd9a033aef677ccee9727a4f1c31c7

SHA512
c65b2e4d1199ee0a12d268019ad3db4777589bb21f919daefd5604e132ce9b42fbcb39780f74b924cfbacc634ff93a254c262fb72f2807f22f2995f62324d106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31279a581b9ccfa71b1f499f7daff2b5

SHA1
14b3bf7b3224ac72dd1c9d269b18041d5406107b

SHA256
c744043c0ef11b9fcf66fb49baa641e13fc207053f65aaf3ba9fa9a000be79d4

SHA512
9149e54f65c6785fd1f6ac22e1514887d942d63b5d77087ad58c33815396da48c59e39bf3d83433af19115027dddc42b8caf170632df43b3abc1e426736e0762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b680c4805852245210940f3bda76f211

SHA1
4b49e0bcd45d02744d22b096f5030e9bc267f3c9

SHA256
b6fc647d09444c51ea3c60a2058491350a30ad1b5730122b9332f0f0b7b7cd60

SHA512
c393afaf4a8f9a779cf2c547ef540ab3ec834a85d74837b0881cb934de8572dede5aefa1e5f84e74ab1b03afe6d6c474c7129a0956cf77df21da94a4c6de262c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
450691a836564835b1ee81f3d8a6bfe6

SHA1
4f8f35ea01d239b39feddae039646872d654ddfc

SHA256
78ee1a94f1f57bc26db0a9e23b82b95f581b040a3288f220c00d87829c3ebd44

SHA512
2cb6364dbc0b3ac23c16a096400d2a11728d445b9c93cf42e541bdb57ab06097dda1b4d0fbeaca62c4ffef9cca30be654d3d83051dacce42f22b296d84726d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e07df17e31ad440fb20b01f20c40f11c

SHA1
f26d91c77b447aa36f7813c635dec9ab5e767dd4

SHA256
cbce5cc1ac36139b0cedd2cb2802723806ed7024452bb5b9b3a50f0189eb88e6

SHA512
f9195636b84105177074211a41a03cffb1399d52f525af1cb665dd1e834ddf9dfffbedc868ec891acc0fda80005079b1de54013ce1cd17cfb037c78460d36db7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Downloads\BadRabbit Ransomware.zip

Filesize
395KB

MD5
b303526df291ef092a7650af3d4d63f8

SHA1
97c6532d1df35b3e5c352c29006985468eb7abc5

SHA256
7da4698bb24746aa5349e9e0b3645a7fab8a977308e06c90f5282dbb5ea7d00f

SHA512
603ff899d40df62203cb1d945bb625f10d6eeb439ae5588175fb04c9d850b07517f2b82d2a02f8b8f8a493660cc2a8b592875fcee2376bb6e7fd322398a0ce66

Download Submit
C:\Users\Admin\Downloads\BadRabbit Ransomware.zip

Filesize
395KB

MD5
e841228a0ac02ca518895839ddd8f495

SHA1
c2a6b8c367e4484d570091dca41486edded777b8

SHA256
89df10f5e9b8ae9d549f738cf87a8ab9c67fc74d6e6bf65d93576b4b9c937444

SHA512
b7d0747d4b284a463f85e7eb2015e0a518ec2adc3c96b59a9b1191b46bec103897365b6f10981f475a312fa3641d4eee280f3c28899376413d3a4c1bd21df576

Download Submit
C:\Users\Admin\Downloads\Ransomware.Rex.zip

Filesize
2.7MB

MD5
50188823168525455c273c07d8457b87

SHA1
0d549631690ea297c25b2a4e133cacb8a87b97c6

SHA256
32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d

SHA512
b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70

Download Submit
C:\Windows\8066.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1456-448-0x0000000003030000-0x0000000003098000-memory.dmp

Filesize
416KB

Download
memory/1456-456-0x0000000003030000-0x0000000003098000-memory.dmp

Filesize
416KB

Download
memory/1464-420-0x0000000001370000-0x00000000013D8000-memory.dmp

Filesize
416KB

Download
memory/1464-412-0x0000000001370000-0x00000000013D8000-memory.dmp

Filesize
416KB

Download
memory/1968-381-0x00000000027B0000-0x0000000002818000-memory.dmp

Filesize
416KB

Download
memory/1968-374-0x00000000027B0000-0x0000000002818000-memory.dmp

Filesize
416KB

Download
memory/1968-384-0x00000000027B0000-0x0000000002818000-memory.dmp

Filesize
416KB

Download
memory/2884-424-0x00000000024F0000-0x0000000002558000-memory.dmp

Filesize
416KB

Download
memory/2884-432-0x00000000024F0000-0x0000000002558000-memory.dmp

Filesize
416KB

Download
memory/3476-465-0x0000000001500000-0x0000000001568000-memory.dmp

Filesize
416KB

Download
memory/3476-472-0x0000000001500000-0x0000000001568000-memory.dmp

Filesize
416KB

Download
memory/4924-444-0x0000000001130000-0x0000000001198000-memory.dmp

Filesize
416KB

Download
memory/4924-436-0x0000000001130000-0x0000000001198000-memory.dmp

Filesize
416KB

Download