badrabbit | 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Resubmissions

11-02-2025 17:17

250211-vtrznatrey 10

11-02-2025 17:05

250211-vl6svatqaw 10

11-02-2025 16:57

250211-vgczzatkhl 10

Analysis

max time kernel
749s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Contract Action.pdf.exe
Size

431KB
MD5

fbbdc39af1139aebba4da004475e8839
SHA1

de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA512

74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
SSDEEP

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023c8a-20.dat	mimikatz

Blocklisted process makes network request 5 IoCs

flow	pid	Process
287	1664	rundll32.exe
310	1664	rundll32.exe
322	1664	rundll32.exe
333	1664	rundll32.exe
345	1664	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	B4AA.tmp

Loads dropped DLL 1 IoCs

pid	Process
1664	rundll32.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\B4AA.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	Urgent Contract Action.pdf.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Urgent Contract Action.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2671265011-1578681955-3068118665-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3992	schtasks.exe
4672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
2204	B4AA.tmp
2204	B4AA.tmp
2204	B4AA.tmp
2204	B4AA.tmp
2204	B4AA.tmp
2204	B4AA.tmp
1156	msedge.exe
1156	msedge.exe
1556	MicrosoftEdgeUpdate.exe
1556	MicrosoftEdgeUpdate.exe
1556	MicrosoftEdgeUpdate.exe
1556	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1664	rundll32.exe
Token: SeDebugPrivilege	1664	rundll32.exe
Token: SeTcbPrivilege	1664	rundll32.exe
Token: SeDebugPrivilege	2204	B4AA.tmp
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	4352	firefox.exe
Token: SeDebugPrivilege	1556	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe
4352	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4352	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1664	1156	Urgent Contract Action.pdf.exe	86
PID 1156 wrote to memory of 1664	1156	Urgent Contract Action.pdf.exe	86
PID 1156 wrote to memory of 1664	1156	Urgent Contract Action.pdf.exe	86
PID 1664 wrote to memory of 3216	1664	rundll32.exe	87
PID 1664 wrote to memory of 3216	1664	rundll32.exe	87
PID 1664 wrote to memory of 3216	1664	rundll32.exe	87
PID 3216 wrote to memory of 4852	3216	cmd.exe	89
PID 3216 wrote to memory of 4852	3216	cmd.exe	89
PID 3216 wrote to memory of 4852	3216	cmd.exe	89
PID 1664 wrote to memory of 1996	1664	rundll32.exe	90
PID 1664 wrote to memory of 1996	1664	rundll32.exe	90
PID 1664 wrote to memory of 1996	1664	rundll32.exe	90
PID 1664 wrote to memory of 3604	1664	rundll32.exe	92
PID 1664 wrote to memory of 3604	1664	rundll32.exe	92
PID 1664 wrote to memory of 3604	1664	rundll32.exe	92
PID 1664 wrote to memory of 2204	1664	rundll32.exe	93
PID 1664 wrote to memory of 2204	1664	rundll32.exe	93
PID 1996 wrote to memory of 3992	1996	cmd.exe	96
PID 1996 wrote to memory of 3992	1996	cmd.exe	96
PID 1996 wrote to memory of 3992	1996	cmd.exe	96
PID 3604 wrote to memory of 4672	3604	cmd.exe	97
PID 3604 wrote to memory of 4672	3604	cmd.exe	97
PID 3604 wrote to memory of 4672	3604	cmd.exe	97
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4256 wrote to memory of 4352	4256	firefox.exe	102
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103
PID 4352 wrote to memory of 4008	4352	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Contract Action.pdf.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 713669272 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 713669272 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:35:00
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:35:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4672
- - C:\Windows\B4AA.tmp
    "C:\Windows\B4AA.tmp" \\.\pipe\{9944E688-EC0A-42E9-8521-94E98814ED79}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 27201 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7fcdb81-9e60-473f-87fa-9a770286e21e} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" gpu
    3⤵
    PID:4008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 27237 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2108286f-e7e5-4c02-bf8a-178f4e17e607} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" socket
    3⤵
    - Checks processor information in registry
    PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2932 -childID 1 -isForBrowser -prefsHandle 2760 -prefMapHandle 3000 -prefsLen 27378 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79bac1bf-d6ba-4585-be3d-ba49f9c620f6} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3404 -childID 2 -isForBrowser -prefsHandle 3356 -prefMapHandle 2684 -prefsLen 32611 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a7ab16-623c-4870-8a2d-9cb94a5d9cc9} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:4080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4640 -prefsLen 32611 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c08e6934-8406-42dd-aabf-5995f4c0003e} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" utility
    3⤵
    - Checks processor information in registry
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -childID 3 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a74d57ac-0699-4572-a0fd-1c73797e97dc} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 4 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9c955f-26e9-486a-8504-4493a9ab51f1} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:1552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 5428 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58034670-4253-4e2d-83bb-8d5eb1bb7ca6} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab
    3⤵
    PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault62aa2efdhf445h435eh964dh97e8532ecfed
1⤵
PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc972346f8,0x7ffc97234708,0x7ffc97234718
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14181533315808834907,7740525314329098227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,14181533315808834907,7740525314329098227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,14181533315808834907,7740525314329098227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4cafc69c423e360fae1761e5c427cae9

SHA1
3cebbb7de72319b47f2e9111c50a8db628cf4350

SHA256
d3b9d572d6851da285d9b31ffab1a8fa414bffc689ee4b2c0118c51e26372175

SHA512
549d61aa7a5526bb989de432522a0241e17669c5844b01bc4e6e768398dbe2cc46e3add8f3fc5fc0979f8bd08444ba4a3a1a930958810cd46f2c19f28435c587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b5240b3e3b642b609516512fb54778db

SHA1
33d3dcc44c00b937a18df1031dcc1011a08d20d6

SHA256
cca5f44a26c7fd63ee540c84065822d09542f1acf32670edcbeebaee5172959d

SHA512
b6a6e9270a41f9cfb5ec97dc2334a8d7cd5f0542095b321d658ae2a6f5455814fab5289082b35057868af962ae4ae13ba354de18b7ae3b71d1ff56b66131233f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fd2e1584a5e11f2e8dc3e51aab7a812f

SHA1
23f0ded9c1fbadbe839836f0d475ca24b0d82b83

SHA256
1eeca1a8a72a7328908588496094ce7200881a147ad3b32ba5c17b280f37787a

SHA512
e46d4b3f1a9e75feb081cef9f00aa71497f882267554c92dd694e9affbef384b855d3f638842c291721febe64d1aeaf739c44cd39eb055edf297c94c4d8b92b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3088cvpk.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
43a626e596e526e1b0f5865f3a386262

SHA1
f0ab8d7117b1380419b1ceb1b9e67b6be5e91154

SHA256
1e74070e9b51ebd2d405e6e1b2e062f8f8dcd4f915d1b5d020431c378c3e3d90

SHA512
b0b6c596794f7dd560981ba87ff1e265463319a1782b9fb78e75fb2b3213e836b63e922fc3c5ecfef433af42e0009feedd22e56dba34665c08fe194a0ab72a31

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3088cvpk.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
1ccf97fb4a221f7af29843c37dfe1bdf

SHA1
fcdeda90d07db54fd49d56980a4d41b52a00afb3

SHA256
c4fed6d71b2266f20a0c53e36bf345e65335c868818416de42e379b434d31d53

SHA512
a8405ecaa4a20ea6c402e00c1fc2197564b8850f91b136470fc43c06b1645f4e7fb0cf3a80556071a1914cb8cf3578594057c618529dce6d8c9da705c21ce8fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3088cvpk.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\AlternateServices.bin

Filesize
8KB

MD5
ee543dbbd8c4ec3e3869b2f440b5d65a

SHA1
65be347b5a2284a8c242412101a281bc0c5ed274

SHA256
9beca989edb6e437f4b6902a9163a8403cca6fbb714f3e48f77420324a4049c3

SHA512
f9d724ca3872de99c7eb18f4a5664d9c74ca97dfbaa50f41a898f9dc113b1214d626583e8a55eb857ae54b6ce1876363a90b34471a81a7bec9a07fd089edc947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
c01aed412e290eab52963e4016d1e14a

SHA1
67b0edeef8d52db53551998a0584225e669ce64d

SHA256
2479609ff91223db4ec0b4ac6ded86222cd5ac34c11a3af6f220cc3a9ac5e6e8

SHA512
5723b48109ba7230457fe1a19b0fd1ec85e5e0b223cd5935f99b87c573a5407ce997bb52c22d992b8d730250c7fd63a413283f6d8364a345bdc042ed7afe75c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
62da4c47d2c135a24aed82ff4d906527

SHA1
7bfae66fc3ba4ee19e165375f3198833651e64a9

SHA256
88aaf1eef32e81a25667ba7a7e1fc1a84efed5818bc7b29bc6a64049544b63ae

SHA512
30553c4aef2728844cafa8ab39ba8a77eb711d9ad369c6416e8a3ce98ec09f7b429a41856c0b4a54ac7d2a517386503caf4544353272e473faa7c6077c6aea6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
8e35d4c851f2958cf26d6fbb7144f6e3

SHA1
7c2852d1524dba8aadd0e05ae77dde09b907f84b

SHA256
4d9c67f0674767ee22c38e720d1568804d7e6d8e076ec69aa56f4720a52ebe7e

SHA512
2541ccfae311d1ecef359bd8a5a9772c0896654cbc5ea63b684736919c588eafc0c3b28815d47afb3ca3e1c2f7e06284a3549713aa663aad65b8e9747b4f36c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
a7cf4d003693580cc61026345143c4c4

SHA1
436f917047e625cc5d411a54e77c7fc2b90a47ba

SHA256
1a7ceb1eb330caf7d0504c51943d1454d6c1c804d73141654d81688ea3efcb27

SHA512
552ea0d32a3b73c6e4736fcf1eb0bcf08ffc26b75779ac5e69e5044a7dbab3a9e9da26981ec099a4f6e6a002a2973e4e95810b9920dc47a70a76cbd773dc4230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\pending_pings\0d259a66-dd8c-4d94-8832-30b3a59ec656

Filesize
982B

MD5
b4ffd79f4a33ebde8bdfa387eed734c2

SHA1
81601f41314d9f3cd1e1ffda8afb938ba3ab727c

SHA256
a683b42c43a70ef67baf58ced6b76c59c0aa90ed80d281c9146cc2611d7dd5ea

SHA512
8662c559ed82be2181aa60cf42417739e239888e8ebd08d8a11d4edbafaed62950f9bea657e7f03102e405cf5b73ca168d9164a156e5df1f0cd41125b4a3ff14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\datareporting\glean\pending_pings\10b0a528-5410-4c0f-ad53-b14ed754f7d4

Filesize
659B

MD5
6ef958cc05b76c434764522d7ac97496

SHA1
d08b2d149c43e1f3d6dde126b57d24ac887a6bc5

SHA256
c39d79665870350aa71283d315b88b1478847eff0e9905727d1a4c8796fbd416

SHA512
14f1ae879b932b7f559374b5934c824ff9bc4396715105a7804a89666309c9817b3959ba728554d0ac491a73b10a20bd55636cb406d355055b91ecd2004768fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\prefs-1.js

Filesize
10KB

MD5
b0371fd972251c89e99d62e2b8fcf6fa

SHA1
2b1e2bec866f5fdbd52d44b39ab5c6fc68a7c7be

SHA256
f28ca04bfc3a9ef33fa119a2f4d99a79a3c4aa0105228b67520fa91b38d4f147

SHA512
8bb7970d8d5f4f67802505a5178295a71c38cdd5741284dcc74eb07866955cc035da12b4ffb3e660b2e0aae71f0efd607e0d6da511370d90508f164be8356d85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\prefs-1.js

Filesize
9KB

MD5
7f145e3a1a736ab5a99c9c1f65e058c6

SHA1
84a0225dfffe5618dd425187d1551bf4b9516819

SHA256
7638d9d59948349fe323852939d0b50c31070d30aa865e6fb1f0b57cce9dd6ff

SHA512
330ad88c054953b67578952d7f9cf75e79f1a5e9049eedc8831a8401bdb9476a5ddf4b6d65d871282baab1708589da32466951e868cf5bbeb00fda24220cfd75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\prefs.js

Filesize
9KB

MD5
883b8247f1ac2f8d78fc0b50d25fa1c3

SHA1
32e6b3ce78e1c2c4b70f6aa0d6c7f783be80146a

SHA256
d0cd689153632f3c55d6872e3fed9581171183f1f35fa33c086c7f9d87aa2708

SHA512
a481600ae32952d9cbd4cd4b1710752852956c929c09ce3578f6c05c24bd20bf11caa3fe7f198613bbc7bedc726508196b48d01e72163942bf8d2853c89817db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\prefs.js

Filesize
9KB

MD5
395919ce76d3a77dbfcfc96ed4a45303

SHA1
eea09436f19f1dcbb8450430f656eaf05009748e

SHA256
774e491a6ac80d36c4e2ad969317727f33045013a5d047e6ede9459c3b672ff7

SHA512
db9931214a4db55e654a42b32ef6a0721991ecf66c57dc534e2f7a3c70a91e80853da697649f315b671a509dee64f71103ddcf02a0874e46e5c4ce896360dd6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3088cvpk.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Windows\B4AA.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1664-14-0x00000000027D0000-0x0000000002838000-memory.dmp

Filesize
416KB

Download
memory/1664-11-0x00000000027D0000-0x0000000002838000-memory.dmp

Filesize
416KB

Download
memory/1664-3-0x00000000027D0000-0x0000000002838000-memory.dmp

Filesize
416KB

Download