Analysis

  • max time kernel
    235s
  • max time network
    236s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 09:04

Errors

Reason
Machine shutdown

General

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

  • Badrabbit family
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

  • Mimikatz family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Downloads MZ/PE file
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7fd646f8,0x7fff7fd64708,0x7fff7fd64718
      2⤵
        PID:4828
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        2⤵
          PID:1148
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2784
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
          2⤵
            PID:1576
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
            2⤵
              PID:4424
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
              2⤵
                PID:1484
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
                2⤵
                  PID:3596
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
                  2⤵
                    PID:3152
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3476
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                    2⤵
                      PID:1996
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                      2⤵
                        PID:4952
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
                        2⤵
                          PID:1444
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                          2⤵
                            PID:632
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                            2⤵
                              PID:3880
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
                              2⤵
                                PID:2224
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
                                2⤵
                                  PID:2756
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                                  2⤵
                                    PID:4244
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                                    2⤵
                                      PID:4128
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
                                      2⤵
                                        PID:4892
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                                        2⤵
                                          PID:3548
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                                          2⤵
                                            PID:3520
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2220 /prefetch:8
                                            2⤵
                                              PID:784
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
                                              2⤵
                                                PID:2612
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                                2⤵
                                                  PID:1356
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
                                                  2⤵
                                                    PID:1728
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
                                                    2⤵
                                                      PID:2372
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7096 /prefetch:8
                                                      2⤵
                                                        PID:4988
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
                                                        2⤵
                                                          PID:3228
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
                                                          2⤵
                                                            PID:2668
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
                                                            2⤵
                                                              PID:4916
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
                                                              2⤵
                                                                PID:4988
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:8
                                                                2⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:5244
                                                              • C:\Users\Admin\Downloads\7z2408-x64.exe
                                                                "C:\Users\Admin\Downloads\7z2408-x64.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Program Files directory
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:5480
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
                                                                2⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:732
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 /prefetch:2
                                                                2⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:5780
                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                              1⤵
                                                                PID:3484
                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                1⤵
                                                                  PID:1732
                                                                • C:\Windows\System32\rundll32.exe
                                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                  1⤵
                                                                    PID:3564
                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
                                                                    1⤵
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:856
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                      2⤵
                                                                      • Loads dropped DLL
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2488
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /c schtasks /Delete /F /TN rhaegal
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5188
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /Delete /F /TN rhaegal
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:5228
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3458842052 && exit"
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5308
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3458842052 && exit"
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:5468
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:25:00
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5480
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:25:00
                                                                          4⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:4744
                                                                      • C:\Windows\AB98.tmp
                                                                        "C:\Windows\AB98.tmp" \\.\pipe\{7E58A905-6AB8-4553-9C06-DEDA7D6D232B}
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:5380
                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
                                                                    1⤵
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3932
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                      2⤵
                                                                      • Loads dropped DLL
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:5292
                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
                                                                    1⤵
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4816
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                                      2⤵
                                                                      • Loads dropped DLL
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1292
                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe
                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"
                                                                    1⤵
                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                    • UAC bypass
                                                                    • Disables RegEdit via registry modification
                                                                    • Event Triggered Execution: Image File Execution Options Injection
                                                                    • Adds Run key to start application
                                                                    • Drops autorun.inf file
                                                                    • Sets desktop wallpaper using registry
                                                                    • Drops file in Windows directory
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4360
                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                      vssadmin delete shadows /all /quiet
                                                                      2⤵
                                                                      • Interacts with shadow copies
                                                                      PID:1896
                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                      vssadmin delete shadows /all /quiet
                                                                      2⤵
                                                                      • Interacts with shadow copies
                                                                      PID:5652
                                                                    • C:\Windows\SYSTEM32\vssadmin.exe
                                                                      vssadmin delete shadows /all /quiet
                                                                      2⤵
                                                                      • Interacts with shadow copies
                                                                      PID:5608
                                                                    • C:\Windows\SYSTEM32\NetSh.exe
                                                                      NetSh Advfirewall set allprofiles state off
                                                                      2⤵
                                                                      • Modifies Windows Firewall
                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                      PID:5712
                                                                    • C:\Windows\System32\shutdown.exe
                                                                      "C:\Windows\System32\shutdown.exe" -r -t 00 -f
                                                                      2⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4636
                                                                  • C:\Windows\system32\vssvc.exe
                                                                    C:\Windows\system32\vssvc.exe
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2624
                                                                  • C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe
                                                                    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"
                                                                    1⤵
                                                                      PID:5220
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
                                                                      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
                                                                      1⤵
                                                                      • Modifies system executable filetype association
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Checks processor information in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of SendNotifyMessage
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:5628
                                                                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                                                                        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Checks system information in the registry
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3224
                                                                        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                                                                          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1648
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
                                                                      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
                                                                      1⤵
                                                                      • Modifies system executable filetype association
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Checks processor information in registry
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      PID:5252
                                                                    • C:\Windows\system32\LogonUI.exe
                                                                      "LogonUI.exe" /flags:0x4 /state0:0xa3909055 /state1:0x41c64e6d
                                                                      1⤵
                                                                      • Modifies data under HKEY_USERS
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:5048

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v15

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Program Files\7-Zip\7-zip.dll

                                                                      Filesize

                                                                      99KB

                                                                      MD5

                                                                      d346530e648e15887ae88ea34c82efc9

                                                                      SHA1

                                                                      5644d95910852e50a4b42375bddfef05f6b3490f

                                                                      SHA256

                                                                      f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

                                                                      SHA512

                                                                      62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RedEye.exe.log

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      2d2a235f1b0f4b608c5910673735494b

                                                                      SHA1

                                                                      23a63f6529bfdf917886ab8347092238db0423a0

                                                                      SHA256

                                                                      c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

                                                                      SHA512

                                                                      10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      b8880802fc2bb880a7a869faa01315b0

                                                                      SHA1

                                                                      51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                                      SHA256

                                                                      467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                                      SHA512

                                                                      e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      ba6ef346187b40694d493da98d5da979

                                                                      SHA1

                                                                      643c15bec043f8673943885199bb06cd1652ee37

                                                                      SHA256

                                                                      d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                                      SHA512

                                                                      2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

                                                                      Filesize

                                                                      62KB

                                                                      MD5

                                                                      c3c0eb5e044497577bec91b5970f6d30

                                                                      SHA1

                                                                      d833f81cf21f68d43ba64a6c28892945adc317a6

                                                                      SHA256

                                                                      eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

                                                                      SHA512

                                                                      83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

                                                                      Filesize

                                                                      70KB

                                                                      MD5

                                                                      807dda2eb77b3df60f0d790fb1e4365e

                                                                      SHA1

                                                                      e313de651b857963c9ab70154b0074edb0335ef4

                                                                      SHA256

                                                                      75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

                                                                      SHA512

                                                                      36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

                                                                      Filesize

                                                                      19KB

                                                                      MD5

                                                                      76a3f1e9a452564e0f8dce6c0ee111e8

                                                                      SHA1

                                                                      11c3d925cbc1a52d53584fd8606f8f713aa59114

                                                                      SHA256

                                                                      381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

                                                                      SHA512

                                                                      a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

                                                                      Filesize

                                                                      63KB

                                                                      MD5

                                                                      710d7637cc7e21b62fd3efe6aba1fd27

                                                                      SHA1

                                                                      8645d6b137064c7b38e10c736724e17787db6cf3

                                                                      SHA256

                                                                      c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

                                                                      SHA512

                                                                      19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                      Filesize

                                                                      3KB

                                                                      MD5

                                                                      8e0623dd1c957fc473af5334fc081593

                                                                      SHA1

                                                                      7ebb33967a2b384429ab280f3aa3ca3b54f5452a

                                                                      SHA256

                                                                      1c029b44869582d345b96be9e83965012d083449c13159457e58c5fe6d4232ab

                                                                      SHA512

                                                                      c299ccccd745505da09ce285c2e8c3bd1398ba8d43d1275d2551712987029be9f4274c84d76061521ccb9029608f1650dc681c70ae6f5486257e23a0df13f8fa

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      67bd0a149d59ceb5b23896ffa1826ba1

                                                                      SHA1

                                                                      8a9477dc128544e2e40724346ea53261cee07074

                                                                      SHA256

                                                                      96ea19231d4d4228a016bf748a89c7c6565b4192ad8c6e423b45cb392acf27d4

                                                                      SHA512

                                                                      6cd85e25a9ccd023663ef7c95150975b15352f3c86dda3b71ca24d29e0448cf84dca5bf88b650c6873282dc79d1d0b8fcf2dcf37534f9fbc39900c271603cbd7

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                      Filesize

                                                                      7KB

                                                                      MD5

                                                                      e0b9a03a7258c336c5dbf157ccedbd31

                                                                      SHA1

                                                                      f44b77023bfec4a221a527d9b9c5215e6615046f

                                                                      SHA256

                                                                      53e160399ecc3b780931615aeeb2a939af143582c6717c83836b44e4a48ddb85

                                                                      SHA512

                                                                      0877ece0be98000217810a16209d489bcf9e8a34224d26d210ccf20405245c953f990a3be33b419a3babd374404cb7d86c3eb57a411d0e80399674caba262812

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                      Filesize

                                                                      7KB

                                                                      MD5

                                                                      6c40b005a929e6a42484f6d3b3e5d13a

                                                                      SHA1

                                                                      8f07d6db99c34ea719f6378a1ceb942cf1dbf1c2

                                                                      SHA256

                                                                      f84652834bc00aca2ee2b030f1128acec71f675e927aafa166c35f3ef6c6305d

                                                                      SHA512

                                                                      7a115e64e515b5e00260df3f219d943e48683c15bab9b01eaf90e08f72c2b05572234116398848d4424296b5a74b100c2cbf253298c682d6be13bbfd7106a32d

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                      Filesize

                                                                      7KB

                                                                      MD5

                                                                      346d95f4e4fed7ccfb1eb7881242fde0

                                                                      SHA1

                                                                      7667ba65f36359ee9f44e2965f2d16b8a8d08ddd

                                                                      SHA256

                                                                      d792d3e56926c97845f6398b335522f0bdd00415fbd411fae87b3f8dfa70d395

                                                                      SHA512

                                                                      971b53b3e51c8174cf2bc4cd4a3b1deab030b0184afbf0094f73f33c4af5107f513fb17f08c76f46d94fe29fcbb986ec114a130d1434b9f6a11dd72c470ea9a7

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                      Filesize

                                                                      6KB

                                                                      MD5

                                                                      a41e2c8cbf6824ea9331d16f3cd33f95

                                                                      SHA1

                                                                      fb7b68ea271174d2dd0ed1efdc33230e28f10c8c

                                                                      SHA256

                                                                      ddc8abe74a3374c72d29c82640cc4679fb31ecf029b9619dcb150dc1bdeb819a

                                                                      SHA512

                                                                      d820f95e0bf0e3af8455f9b6c74f2182d419c98e43798a19d9ea6d7d8a25b229a5b19ff036e59f6eee1081f0fd3530b3de7ce122f45e33f6224c81ce1bada5cc

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                      Filesize

                                                                      5KB

                                                                      MD5

                                                                      248418322ec79299cd2c34d0d4143ae9

                                                                      SHA1

                                                                      618b0c7d2546e56eab95108e8c5c3035351f7f6d

                                                                      SHA256

                                                                      a339bd9c5621920d8a5a001c1dbfce0a3b7efc26ec3eb978f6b90ed3f2b82190

                                                                      SHA512

                                                                      ddd000dac27d0d6369749b367c576df31aaf01fc2ca5e14c47f2121728e4c76e9ed523226d60ed512d073703f1dceb8f0ad8454190dad491b833580ede9e3b17

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      98c046d10de02ff3d0a072b6822051d7

                                                                      SHA1

                                                                      ef84bace64280b1a26bd45559453c0686981fc79

                                                                      SHA256

                                                                      5fc3b26c6795a504901182ee7fd5bfb7f342777824692beb5bc74c714cccdf3d

                                                                      SHA512

                                                                      5e9ff3a000f88ecff420a3fdd540e378f83603f8929951fb4c3a2bfed5eb873ec9550b4c154038bb3dbc8d0a174a824a2bc4c5c70dd779c910e5cae29b0eee30

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      55f9d6a580016b9b22e497c9f23db58c

                                                                      SHA1

                                                                      3894d4e3460c94181259c67759f12f25e00b1293

                                                                      SHA256

                                                                      c91940f9306701202f29fa2457d0935778765a5a4fb3b21ef9acff5b241950ad

                                                                      SHA512

                                                                      fc2a7692eae6f18ccd1ca8ba8a72366d196bf482b484df1371277f47c36c0b724e5beaffe23941e312e0fd9caea2d05c44f7bd9915c062a4141e300a16a1cd04

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      d70f60bf17909bd07fc11e0db22b1238

                                                                      SHA1

                                                                      d335f86da52d6caa637042e7710254720d311a0a

                                                                      SHA256

                                                                      af349c1d143ef63caec6337224ae6f3319a8495950cac5d140de41bea85084c4

                                                                      SHA512

                                                                      4bb4f4241e8b12a983eb8c21aaa1b9a57b7fe768402fddc0f0f425ed9ce7d00a95eea27adb224336c02a5f92bea450362bceadf2041dd94a6ae9ab926fc6b292

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e743.TMP

                                                                      Filesize

                                                                      204B

                                                                      MD5

                                                                      0040e3ff1d5ab37ee29816a9f8aec651

                                                                      SHA1

                                                                      490c373c0981e1c452709a19f869d6721a62fa3e

                                                                      SHA256

                                                                      2faba35be316944e5745674872b3b8edfd028ddd5ffd15aaab56b5f8f19ccdb2

                                                                      SHA512

                                                                      a84232430d79ed2f6dca20e94b85b59bb69a944c781ef5ed9bc80004a5d2c7f19c78a6dd9a3f967d43baf94fdf4f0dda3f2d519bebee7c50681c83679f25394e

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      6752a1d65b201c13b62ea44016eb221f

                                                                      SHA1

                                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                      SHA256

                                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                      SHA512

                                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                      Filesize

                                                                      12KB

                                                                      MD5

                                                                      0745ebad86f7969ef9ec9fd2cf109759

                                                                      SHA1

                                                                      5d658fbf4d068e2aefe225d49c941dce232cd0b1

                                                                      SHA256

                                                                      56ce61c48fc86340a04fd35e9eefd6557a90f8d5599ec38749a8faa0bdbd9dee

                                                                      SHA512

                                                                      bdfa78addad064aa84fd063829438bed6a16d3db99ff8adf558c29958ddee44864cf3d6f4273381d85895404e2ebf9fa8d96a549c3c4d7ab5adf1384f1f126ab

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      18e3488f845d033f3a00c446a0fd8c8e

                                                                      SHA1

                                                                      d3899f733fbc21a29d79ccc604007658f60d4cf7

                                                                      SHA256

                                                                      a5edf8772b90cb9a5821bc99eab31383c8f788fcc947d2261753e3a8be25ef8d

                                                                      SHA512

                                                                      194ada8e2ddbdf3e6428f355cbefde8afae8d2f5f54baeded75ed9191f8be8ff5950774ca7c8a507d48fe24bebde0c89209eac52d61d13695123abd779a4c3ec

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      964580bc41b1144b708206bf58984372

                                                                      SHA1

                                                                      48787a5dc05c2529d2e6abedb551daea77fc4030

                                                                      SHA256

                                                                      254c3bd3c0a6693435453f07b28453cc3736363b5bb3c8a577209b8ccf4ca4a9

                                                                      SHA512

                                                                      31b7d1bd6c0ebc1281b442322520dab8719e7b21366218fee38ce3c4672cc690b572ef77535606cee25b759daae92d0a41d2a61b735296b4bcbaab7092324dda

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

                                                                      Filesize

                                                                      40.2MB

                                                                      MD5

                                                                      fb4aa59c92c9b3263eb07e07b91568b5

                                                                      SHA1

                                                                      6071a3e3c4338b90d892a8416b6a92fbfe25bb67

                                                                      SHA256

                                                                      e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

                                                                      SHA512

                                                                      60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2024-11-7.98.5252.1.odl

                                                                      Filesize

                                                                      6KB

                                                                      MD5

                                                                      130b8af55adf2cc475071e6777311d18

                                                                      SHA1

                                                                      d26538ce13cba60625b875f672ec5baade0c99e9

                                                                      SHA256

                                                                      eb7fe30cc1573915cfd005240e5b265996d6c416f5bb383cc65361ff7f595c33

                                                                      SHA512

                                                                      ec7d4048fc8212129e621ee8e9202ed9cd7da0f9953c413804d290d1b0ba13a76ddc280833ea230727516e3fcf3f93e548bad067e9969431ee37ffe93f85759b

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2024-11-7.98.5628.1.aodl

                                                                      Filesize

                                                                      217KB

                                                                      MD5

                                                                      0be0ca009a5cb720b700940e2b4b50d3

                                                                      SHA1

                                                                      51ad0c90ee74ee4ff81ea5f0cce47489bdbdb51e

                                                                      SHA256

                                                                      ad5aa515b71303c3943e4bbd2ad08dd7dbd1a94a432a6d5d7ded06aee77fd5ce

                                                                      SHA512

                                                                      0603de255eab1c83161c80a82b9b411e87553662ab8602ea20e2c992f8783a0cf13015692edabc960b7249c0af5644ad2eee1a84d6359be2f91032a170b92531

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\TraceCurrent.0729.0013.etl

                                                                      Filesize

                                                                      4KB

                                                                      MD5

                                                                      2887c19ce79f266b959d6840711ca594

                                                                      SHA1

                                                                      fcbeab5c9abf1292c81d2e5914f00eae4c4805b1

                                                                      SHA256

                                                                      d593cff2a971e0f5c3248c30929f5a4efde0ddc571ff77ef14520b53247f2c80

                                                                      SHA512

                                                                      146e9b32eb7e920855f0ef766bf97debeb6babdfd830dc0895f5625ddd13c083a3dcec5d00dc8612697b41ab13a327d63d4a1daa486f800083c585b3ea0083c7

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session

                                                                      Filesize

                                                                      20KB

                                                                      MD5

                                                                      c108a9d181e0875c62c01ddfe077144c

                                                                      SHA1

                                                                      9e76a3871163f26030e6c509e74b10738ad305f1

                                                                      SHA256

                                                                      071afd69e6312cf7d8e9c48cb2af714b7554b162f2432a5bd5335f090ff823ad

                                                                      SHA512

                                                                      9052c5794cf28d90d1edcc1802e831dbd70366a464545a34851813beffcc239dd0b2c30f2ff5ebc34209b861237b7ebc4fdb8a652aa4362fe33b9c9a9c9786af

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

                                                                      Filesize

                                                                      38B

                                                                      MD5

                                                                      cc04d6015cd4395c9b980b280254156e

                                                                      SHA1

                                                                      87b176f1330dc08d4ffabe3f7e77da4121c8e749

                                                                      SHA256

                                                                      884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

                                                                      SHA512

                                                                      d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

                                                                      Filesize

                                                                      63KB

                                                                      MD5

                                                                      e516a60bc980095e8d156b1a99ab5eee

                                                                      SHA1

                                                                      238e243ffc12d4e012fd020c9822703109b987f6

                                                                      SHA256

                                                                      543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

                                                                      SHA512

                                                                      9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\update100[1].xml

                                                                      Filesize

                                                                      726B

                                                                      MD5

                                                                      53244e542ddf6d280a2b03e28f0646b7

                                                                      SHA1

                                                                      d9925f810a95880c92974549deead18d56f19c37

                                                                      SHA256

                                                                      36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

                                                                      SHA512

                                                                      4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

                                                                    • C:\Users\Admin\AppData\Local\Temp\aria-debug-5252.log

                                                                      Filesize

                                                                      470B

                                                                      MD5

                                                                      0dcf46419cf59a50c4703af24a0566cf

                                                                      SHA1

                                                                      39f56330fd7453921eba7d32d3aa0f529204e060

                                                                      SHA256

                                                                      98028c1061044e7ed56f4f3f76987a86d5a0ddf81ac9a320d2378ee2d06ae1ba

                                                                      SHA512

                                                                      57338837ee35e358cf93d7a5baa37aaea1f854d25f02bfb5c4a141f7d8500bbd9774d77b2c51a8ef83e9f5e5f6494da6331173223d98f7b7395d6519bc64f303

                                                                    • C:\Users\Admin\Downloads\Unconfirmed 799744.crdownload

                                                                      Filesize

                                                                      1.5MB

                                                                      MD5

                                                                      0330d0bd7341a9afe5b6d161b1ff4aa1

                                                                      SHA1

                                                                      86918e72f2e43c9c664c246e62b41452d662fbf3

                                                                      SHA256

                                                                      67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

                                                                      SHA512

                                                                      850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

                                                                    • C:\Windows\AB98.tmp

                                                                      Filesize

                                                                      60KB

                                                                      MD5

                                                                      347ac3b6b791054de3e5720a7144a977

                                                                      SHA1

                                                                      413eba3973a15c1a6429d9f170f3e8287f98c21c

                                                                      SHA256

                                                                      301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                                                      SHA512

                                                                      9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                                                    • C:\Windows\infpub.dat

                                                                      Filesize

                                                                      401KB

                                                                      MD5

                                                                      1d724f95c61f1055f0d02c2154bbccd3

                                                                      SHA1

                                                                      79116fe99f2b421c52ef64097f0f39b815b20907

                                                                      SHA256

                                                                      579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                                      SHA512

                                                                      f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                                    • memory/1292-921-0x0000000002C00000-0x0000000002C68000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/1292-929-0x0000000002C00000-0x0000000002C68000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/2488-874-0x0000000002190000-0x00000000021F8000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/2488-860-0x0000000002190000-0x00000000021F8000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/2488-868-0x0000000002190000-0x00000000021F8000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/4360-932-0x00000137943F0000-0x00000137943F6000-memory.dmp

                                                                      Filesize

                                                                      24KB

                                                                    • memory/4360-931-0x00000137AE6A0000-0x00000137AF6B6000-memory.dmp

                                                                      Filesize

                                                                      16.1MB

                                                                    • memory/4360-930-0x00000137935C0000-0x000001379405C000-memory.dmp

                                                                      Filesize

                                                                      10.6MB

                                                                    • memory/5292-891-0x0000000000F00000-0x0000000000F68000-memory.dmp

                                                                      Filesize

                                                                      416KB

                                                                    • memory/5292-880-0x0000000000F00000-0x0000000000F68000-memory.dmp

                                                                      Filesize

                                                                      416KB