badrabbit | a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

Analysis

max time kernel
131s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2025, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lokibot.exe
Size

300KB
MD5

f52fbb02ac0666cae74fc389b1844e98
SHA1

f7721d590770e2076e64f148a4ba1241404996b8
SHA256

a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA512

78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
SSDEEP

3072:bGSHTJKB/DA8SBV7Nr6JD6u8w/CpLmrCpLmlrudATPTVWZV5wx3nu9B6jFdnp:bGSzYBchvEJD6LpZj+PTa7wx36AjX

Score

10^/10

badrabbit lokibot mimikatz agilenet discovery ransomware spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023df3-609.dat	mimikatz

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe

Executes dropped EXE 4 IoCs

pid	Process
1196	BadRabbit.exe
2840	ABFA.tmp
2604	BadRabbit (1).exe
4352	DeriaLock.exe

Loads dropped DLL 2 IoCs

pid	Process
4152	rundll32.exe
3052	rundll32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/4344-2-0x00000000030D0000-0x00000000030E4000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
98	raw.githubusercontent.com
99	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 3524	4344	Lokibot.exe	86

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\ABFA.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit (1).exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 145991.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 923053.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 27972.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 540778.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 724404.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2420	schtasks.exe
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	Lokibot.exe
4344	Lokibot.exe
4344	Lokibot.exe
3716	msedge.exe
3716	msedge.exe
1092	msedge.exe
1092	msedge.exe
632	identity_helper.exe
632	identity_helper.exe
5024	msedge.exe
5024	msedge.exe
4152	rundll32.exe
4152	rundll32.exe
4152	rundll32.exe
4152	rundll32.exe
2840	ABFA.tmp
2840	ABFA.tmp
2840	ABFA.tmp
2840	ABFA.tmp
2840	ABFA.tmp
2840	ABFA.tmp
2840	ABFA.tmp
3616	msedge.exe
3616	msedge.exe
3052	rundll32.exe
3052	rundll32.exe
2920	msedge.exe
2920	msedge.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe
4352	DeriaLock.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	Lokibot.exe
Token: SeShutdownPrivilege	4152	rundll32.exe
Token: SeDebugPrivilege	4152	rundll32.exe
Token: SeTcbPrivilege	4152	rundll32.exe
Token: SeDebugPrivilege	2840	ABFA.tmp
Token: SeShutdownPrivilege	3052	rundll32.exe
Token: SeDebugPrivilege	3052	rundll32.exe
Token: SeTcbPrivilege	3052	rundll32.exe
Token: SeDebugPrivilege	4352	DeriaLock.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3524	4344	Lokibot.exe	86
PID 4344 wrote to memory of 3524	4344	Lokibot.exe	86
PID 4344 wrote to memory of 3524	4344	Lokibot.exe	86
PID 4344 wrote to memory of 3524	4344	Lokibot.exe	86
PID 1092 wrote to memory of 3476	1092	msedge.exe	90
PID 1092 wrote to memory of 3476	1092	msedge.exe	90
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 4840	1092	msedge.exe	91
PID 1092 wrote to memory of 3716	1092	msedge.exe	92
PID 1092 wrote to memory of 3716	1092	msedge.exe	92
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93
PID 1092 wrote to memory of 3600	1092	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
  "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
  2⤵
  PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ffc0fb846f8,0x7ffc0fb84708,0x7ffc0fb84718
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1196
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3837924252 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4516
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3837924252 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:52:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:2380
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 21:52:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
  - - C:\Windows\ABFA.tmp
      "C:\Windows\ABFA.tmp" \\.\pipe\{D067FA18-15E1-4E29-B85F-E35D445A48BC}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Users\Admin\Downloads\BadRabbit (1).exe
  "C:\Users\Admin\Downloads\BadRabbit (1).exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2604
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Users\Admin\Downloads\DeriaLock.exe
  "C:\Users\Admin\Downloads\DeriaLock.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18373067459289458909,11938919592509964714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1
  2⤵
  PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f6c6ebcf09e9d5fdf9ec9cfc2153de57

SHA1
d24a883478f2508a2b96bb0175bbee9766e7b7db

SHA256
ca03d1669ec72bc687374597d418f0b4362143b573f3c3bdc54b4e6304cf4248

SHA512
c1f536151fa9d634cdf99f1188bc11d887a0878610f7cdb97db8a40f0029985df6a92ca0e0dbc363d4eb6a2a3a584cff665e6a4eb976261e0174442552fec36a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
64a029c9bfa06cb5e489bd6df7a85b17

SHA1
4755dd3206b9625870ecdcb9b79345eb03956614

SHA256
5908606e72d5e6831b55375e2993f4b514f4d6422cfafadd8a781a8e8d8900d6

SHA512
2769d079bea3cd1b457ebf6ad7fc9e1768605c8495cbaa35366abed6751d5de35189502a70805876f8e3f1ec12b312a7f27057616ced08f6e938805168ab10a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90b9420571a8e1af44ebf405246a7b06

SHA1
ce2f357c759154046800d9c9b40b37c6729d11e2

SHA256
7909bfa4d14911ffbda195542150ab1f1f0153503576faad565659c4390a40cd

SHA512
90e7e3c10541a73fe8d0ae4dbfd25dae17d9a81f33bbd9305f97a0005fc1f5e60cd899cdb24f88f27c6b98a8d343a735f39b4bc4e3ba0e32b51d71ba4227c878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f91738650a3a6cdba5b6e8fcc39afc5

SHA1
d2957492a9be2f7f85735adec817a0b83270ae56

SHA256
0163e12a92450100b68bb10e04921247ad4fdb83771dc062bd355205d8ebb14b

SHA512
e097669bde0904abf0c5d6c257d4b8eab471b25d7d7ebd796d2d3ac338359365543ebdecdb9fac6c4525024991d69ac8b316ebfb540b583f010d29bed2e1b5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7694b5f833e4e091c2b8db1b0fd9187

SHA1
71a635e979dcc9a3e3caaeee5e90b3e944bd06ba

SHA256
4c81ada4df592889b7a05ef23375b89469456279824b8cafa7df7465f6a20470

SHA512
dee3fb4e647da0a1ec65ae07eb0af4bf1ed5667858b099ee9a9f6a2ab51a1266b06da5a1a3120b709c055838077b4e4ae669520ae9dae72a17a8f2bd70d0de72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26dc8d76570c02535bb7b36d67311cd0

SHA1
3143dadd22e487d9eb91310e341f6dc141d247ed

SHA256
ef493cc1dec9dcd1466aabb6bbedf4e425a39a05322c87e7352871e278460163

SHA512
687e18c1e1c166ee8658523ad889fe54e9b56a134693eaa6dc53e498e123ff719f480bfa64a729cc621a97e4e047baf038db35f51cf651ffb03c44ec3d9d61eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
735ff236518ec89bed73081c806ba9c8

SHA1
a952cc7e1d0a02c0added6ff7f79248d4a095da4

SHA256
b64482e56995943daca15fd1858fef065dc4d20d0f2d7ca956f295cbc9ba36ea

SHA512
f2e4112769054ac35b43a4373498f656489dc5715d51b04d5a69e7cf3170e7035ba4f49c1c96ec1af27b27d7f3669193c9023507b1b56341d7d1f6d8222293cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
52ed9ba677d51f8eabccf966a70693f0

SHA1
d0d2eddf9d1a2e899bdf2605b0d17f17c1da8bc2

SHA256
eb5973ca63c035ed43a1e35ab196764f874cce58a00926051b174421d95f394d

SHA512
743b64c7d2b3a3dc19da98545f7e05fa3f7ff73388d4d180c88c1c0a175dd2b1ab79714771282cd784e1e9d8102bea7e073dba9bfcf6d2b2e2fbb88889c456f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
475c9216c85d0e16ec5c395b7e59a702

SHA1
345508065e8fbca320aef848f27adc1d876a772b

SHA256
71d7f633788081f47a67d48ac38a5f08e3ea3c5ba9345ce9031341c3794e31fd

SHA512
1b09bf5a209bdf7288fbdfd8e21c2dbaf9aa89b29e1e449705a9d00113a2182af89de35f94b7613b1050c850a8d3fe5a0baa0c053ba3eb761966808bef3ed700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58554f.TMP

Filesize
1KB

MD5
52b85980a09f8932ede4410becce4ab1

SHA1
6f43d636d4543b92919d3f7171fa52c460f91294

SHA256
3fa92add7040834f1d05542223a44a8d3dee832b75e69a24a1e385c071e01434

SHA512
d3994f19db6ad97ee9daf8453e8aeeb8e7ec4023e4178d87d622bfb44937ad49dfd0f0597cd46903d206c2c470cb2a591bc732b4b5ccae1d964e13091f22e65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1334608b3bc9d52b1e09e589f2cb0901

SHA1
f0f144987ab81ff70a6c24dfde57f566ae3fd9af

SHA256
705930c450c5dc082ca87235e3e684b1ff137c212aeab4502f08816fd00787ae

SHA512
4370a0c60f2eb4f031b154b581c00384b2f721a2646e04f8660acbb8e3d8cb4351473b1d4be6ce733039543242b522ac97bfc739b8ad78117add2abfb2be99ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a833cf90f416ba24868eb320ff119e0f

SHA1
28a8ec65bf469b9b9baef65d373a92f01ecd5c4c

SHA256
bbb1f53d37c4f4d6958b2c9eff5af9893d69638cba8bfd5400a42a916681c265

SHA512
9d33f5f89a0186dd981f25388010ab4a09ec6495ca206e06515b216043b1828f6617bb493a08807282d5c787e49f0bf277e12cbb3fb8c1d5685caa3ecc0429d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
064c920cf6c15b9afb68f9869cc85ba8

SHA1
bb7fdbf9efaf04d3f88a8c5f277e5dc40c779dc7

SHA256
c980837e7b707695fa412a9da01168b84f4394d87511b35b1a92c73605d80a1f

SHA512
9d0fc091710bef3ec42e291d2a3696fa752e022b63ac40db78280f89bf1ede378d4b8d9e51680af645d4b4d665601611a823e9a6022f7dc89a6c17907cfbe339

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 724404.crdownload

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 724404.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Windows\ABFA.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3052-654-0x0000000002A70000-0x0000000002AD8000-memory.dmp

Filesize
416KB

Download
memory/3052-662-0x0000000002A70000-0x0000000002AD8000-memory.dmp

Filesize
416KB

Download
memory/3524-401-0x0000000000700000-0x00000000007A2000-memory.dmp

Filesize
648KB

Download
memory/4152-600-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/4152-592-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/4152-603-0x0000000002450000-0x00000000024B8000-memory.dmp

Filesize
416KB

Download
memory/4344-6-0x00000000063B0000-0x0000000006442000-memory.dmp

Filesize
584KB

Download
memory/4344-5-0x0000000005BF0000-0x0000000005BF8000-memory.dmp

Filesize
32KB

Download
memory/4344-9-0x0000000006680000-0x00000000066C4000-memory.dmp

Filesize
272KB

Download
memory/4344-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/4344-11-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4344-12-0x0000000006500000-0x0000000006522000-memory.dmp

Filesize
136KB

Download
memory/4344-8-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4344-7-0x00000000063A0000-0x00000000063A8000-memory.dmp

Filesize
32KB

Download
memory/4344-403-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4344-10-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/4344-4-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/4344-3-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/4344-1-0x0000000000BF0000-0x0000000000C42000-memory.dmp

Filesize
328KB

Download
memory/4344-2-0x00000000030D0000-0x00000000030E4000-memory.dmp

Filesize
80KB

Download
memory/4352-749-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/4352-750-0x00000000054C0000-0x0000000005516000-memory.dmp

Filesize
344KB

Download
memory/4352-748-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download
memory/4352-747-0x00000000009B0000-0x0000000000A32000-memory.dmp

Filesize
520KB

Download