badrabbit | hxxp://malwarewatch[.]org

Analysis

max time kernel
1046s
max time network
1047s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
13-02-2025 08:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://malwarewatch.org

Score

10^/10

badrabbit mimikatz defense_evasion discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
5088	fsutil.exe

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Clears Windows event logs 1 TTPs 4 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2252	wevtutil.exe
1072	wevtutil.exe
3400	wevtutil.exe
764	wevtutil.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002af65-893.dat	mimikatz

Blocklisted process makes network request 22 IoCs

flow	pid	Process
331	1652	rundll32.exe
345	1652	rundll32.exe
356	1652	rundll32.exe
368	1652	rundll32.exe
379	1652	rundll32.exe
391	1652	rundll32.exe
402	1652	rundll32.exe
415	1652	rundll32.exe
426	1652	rundll32.exe
438	1652	rundll32.exe
449	1652	rundll32.exe
461	1652	rundll32.exe
472	1652	rundll32.exe
485	1652	rundll32.exe
496	1652	rundll32.exe
507	1652	rundll32.exe
518	1652	rundll32.exe
530	1652	rundll32.exe
542	1652	rundll32.exe
554	1652	rundll32.exe
565	1652	rundll32.exe
577	1652	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	C922.tmp

Loads dropped DLL 1 IoCs

pid	Process
1652	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\C922.tmp	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1148	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FakeWindowsUpdate.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4040	msedge.exe
4040	msedge.exe
1412	msedge.exe
1412	msedge.exe
3352	identity_helper.exe
3352	identity_helper.exe
1808	msedge.exe
1808	msedge.exe
3952	msedge.exe
3952	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
2032	C922.tmp
2032	C922.tmp
2032	C922.tmp
2032	C922.tmp
2032	C922.tmp
2032	C922.tmp
2032	C922.tmp
1776	msedge.exe
1776	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	rundll32.exe
Token: SeDebugPrivilege	1652	rundll32.exe
Token: SeTcbPrivilege	1652	rundll32.exe
Token: SeDebugPrivilege	2032	C922.tmp
Token: SeDebugPrivilege	1776	[email protected]
Token: SeDebugPrivilege	1776	[email protected]
Token: SeSecurityPrivilege	1072	wevtutil.exe
Token: SeBackupPrivilege	1072	wevtutil.exe
Token: SeSecurityPrivilege	3400	wevtutil.exe
Token: SeBackupPrivilege	3400	wevtutil.exe
Token: SeSecurityPrivilege	764	wevtutil.exe
Token: SeBackupPrivilege	764	wevtutil.exe
Token: SeSecurityPrivilege	2252	wevtutil.exe
Token: SeBackupPrivilege	2252	wevtutil.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3484	1412	msedge.exe	84
PID 1412 wrote to memory of 3484	1412	msedge.exe	84
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 2168	1412	msedge.exe	85
PID 1412 wrote to memory of 4040	1412	msedge.exe	86
PID 1412 wrote to memory of 4040	1412	msedge.exe	86
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87
PID 1412 wrote to memory of 2040	1412	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://malwarewatch.org
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff952cd3cb8,0x7ff952cd3cc8,0x7ff952cd3cd8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5408 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,13697392090653787617,9389120208037245639,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njc2MEJBOEUtRkU3Mi00QjlELUJGRjMtODdERThGODM0MThBfSIgdXNlcmlkPSJ7OTU2MzdBMUItMDMyNC00RURCLTg4MjAtRkUzOTk0MzQ5OEVBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTM3MTlBREMtRUJCQS00OTY4LUJFNjUtQkMyOTgxQTg4MUE2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NjExOTcxNjMiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

C:\Users\Admin\Downloads\BadRabbit\[email protected]
"C:\Users\Admin\Downloads\BadRabbit\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2420
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 640962435 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 640962435 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:18:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:18:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4352
- - C:\Windows\C922.tmp
    "C:\Windows\C922.tmp" \\.\pipe\{075E8584-C6CA-4C7F-B658-E3D5EC0018C5}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4092
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Setup
      4⤵
      Clears Windows event logs
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl System
      4⤵
      Clears Windows event logs
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3400
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Security
      4⤵
      Clears Windows event logs
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil cl Application
      4⤵
      Clears Windows event logs
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil usn deletejournal /D C:
      4⤵
      Deletes NTFS Change Journal
      System Location Discovery: System Language Discovery
      PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:4288

C:\Users\Admin\Downloads\FakeWindowsUpdate\[email protected]
"C:\Users\Admin\Downloads\FakeWindowsUpdate\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e3055 /state1:0x41c64e6d
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a14c2ec70a0175c20aceee2cf4d425f

SHA1
47d680bf85143e5a941b9a2e459bca4c9f8e51f8

SHA256
8e424c207cf0e2e4780c5fd51143b92e9e7a8ad36a9477a8a6819e4b3d4c8d79

SHA512
b9c2dd9927a4fbf1628537235178fdc98f849a30ade35607cff43f479011ab82cff20ce21df9ac3e9d6aceda4d8481e30de973a12451d9ee05a091d9098c11df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ca9db6aa94730283d8a369e08f8f710c

SHA1
c1ef5c3b08fa3ee3edec4155a31cd20312cb7b09

SHA256
60ac735f5b28b26af18d6f5b4cbaa8b81a01ada539c946bfd8ec32379b0c3b33

SHA512
27d982e3f854ee4e6eaba491679ecda3f60aa086bd5a75ee7aac61d01db177a68d9f1185e7039c623793974ae478cd1b3d35b5df4cade0204d5c0eaec4ab9d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
21KB

MD5
9f40fb2ed16ee16f0a8ece100ed3c114

SHA1
0dc24bf45f0302ebb56206e85652fc83617a9d3d

SHA256
ce163ff79a667b7c2dcea4f216033f67313099c7f9dbf2e783ced8933890c0c2

SHA512
92283e99fe2f48179c5e52e9535d4fe93e5aa81f72e4cd99edf254935192ae1abf3b026f9e2711468469b892eea851f46ffb2077976d99d8a953f7122a644a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
20KB

MD5
97fd172ea9bc2155318674c6b964a103

SHA1
e4612c3f9366e19910a3fedabda93f1986b7d027

SHA256
85b36030f3db78415fa6f70bf4c4ede746c9c1950468a0704852a84cc752530f

SHA512
273b686342c42dabf8f466f58505f6d227dbdbea2b6ad39b8d0d9a7ee36daa4874559ee9bf9c83a1e163f020c1da7fc16651fcc16da27aa76d2c5080d3a50a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
37KB

MD5
d2610a5d8eb0910f15b4d0ba1db62ad1

SHA1
a48324d4034a4aede07736a1e1236edc09f82109

SHA256
30cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6

SHA512
06c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
26KB

MD5
525579bebb76f28a5731e8606e80014c

SHA1
73b822370d96e8420a4cdeef1c40ed78a847d8b4

SHA256
f38998984e6b19271846322441f439e231836622e746a2f6577a8848e5eed503

SHA512
18219147fca7306220b6e8231ff85ebeb409c5cc512adff65c04437d0f99582751ccb24b531bbedf21f981c6955c044074a4405702c3a4fae3b9bf435018cc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
18KB

MD5
df5df05b063c584376d235fa678175ec

SHA1
a38b234dfbddf38a915f6e3e80123d2acfadbdaa

SHA256
13abafa660e5d4cc56de010f88b1ebf8fc39ec77b1dfdffa28caec59f15ef71d

SHA512
bfaffa447e3e84e32cb4665ad75c4d8ea71bbe9b2229d645fbe41961b5503de67498ec5b107d6368aeea9366c185bc04d31100fa920ca4673633baf679ab6116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
59KB

MD5
adc01e84b8714e4fda2bcd6e3dd6cad0

SHA1
ebffe4abc6135d172580a86cd06d19aec5de0198

SHA256
b0dffdd3ecd3c000a704d234d212b2931aed724ac9a1a24993bfe2265d7c4f9b

SHA512
6c311aaf951c93e109a29f76d0ea0d593390600f021ebb468deae5943d801c68601bcaa0d5ae6085294831591dbb79f989d052e33e25991e22909487b89bf03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
44KB

MD5
d31c62c41b62b7f775624119badbbe80

SHA1
5fd699c0ba1381d44dd1c69d31a28e2142aa8af3

SHA256
264c5adddbb103dd502d220154515533d4c0f8c2328701a8649faf9b980a3fd8

SHA512
20b4a986e7b74b581706d8f8454593a7928f45838a7d153bd2cb8ca6f3d01bd8503954c0faf192d0e93fb798abcf3375fad99ee6d3456c19d33b7881a35417cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
55KB

MD5
c649e6cc75cd77864686cfd918842a19

SHA1
86ee00041481009c794cd3ae0e8784df6432e5ec

SHA256
f451a4a37826390ab4ea966706292ee7dd41039d1bedc882cbc8392734535393

SHA512
e9e779870071fe309bbde9b6a278d9627c7f2402b55ac4c0a48c65b1de5172cf9dad2992f8619d7e7aaf978e6ccd607620de88554aa963f3d45501913ed49f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
16KB

MD5
76e05be2e7028a5ab01e2aef626fd4f2

SHA1
7155af7fa9a217c3544a141c50efb0cea8b3aa7c

SHA256
de8c06ecc4f023b4f594c8cb35cb950256ba7e9b4cf586d4dd5d448b090ace79

SHA512
81aa24cbe42dd22ae69fd20e0766d375728406636752b0b6ccab5d4c17e936361932f578bc0bd41140b97d1470c0f9577abb3dae8c9a245b8e5dd0234a3d8682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
109KB

MD5
7b7f4957ab47720f6f0ac08b96d8fbc1

SHA1
bab9cc87dac1981b399f96298196eb9eb1733de7

SHA256
bd563660346ade1ac3a7cb5fb923a320a79553b09ae36a72b024748801336dfa

SHA512
91ee8690cd6e4e8abbf7812b0a51ac4546e3a6666ace8106b833859bc6bb6ae5e8540210efe11d01f54d74829a1844885a9228213391d94c4530091ba0c378ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
16KB

MD5
d72ef85969357cc6e573795a81907d41

SHA1
f9643e276cec749527e387e1b62fee3677509f70

SHA256
536ba419c1b84245882926c01d16e549b45d4ceac8c5a37e631679a7a08495f5

SHA512
39a4799814020bee09a5e9246d1e004ca136c2e271af1626899d8941f62dec97d36a95922a9f629d167ca9d6c54f77436d9c8ecc75e317ae1cc54486c9f4cd50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9acd7c3250024c1ce62d161af5e69160

SHA1
6dc0706c9a1b0c0d092b64bbc335b58003a71716

SHA256
f5c1af9e0c66f74b2b2d4e88d42aa4923b68f93b880c42f35ba185e0d2b4ffc7

SHA512
cea83a247b705a10eab043938dfc4994ea1d7325fdf4b1aeb4a8c60b26e37f191826a5ac96f5352debfc796b52d90a3ed9569dfe95605b677337e19b2b99721a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f4670e988bedb8736e1ad59df3ab7d21

SHA1
6b8cf9cd189b8a78a04e8db40f3eaddb272ecda0

SHA256
7c98014388e8abc5f6053c79ee81f8d7497b3f084cf49c85b5f764bf2a6c2d43

SHA512
effd5de49e4ea463024040d9da9bbc80b80183867ea4b849b88693e660b218f4229f4d3f2dc2bc117aae0b4ea65de7b1436910677aa656be49c0ed7a391a75e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f3e1f6d8918e5db432f9661bbd6fb041

SHA1
778b9990ef7689d82a514ad8638493adda3b41af

SHA256
52a31c5df71752e55de5056e5eb41d0e4f1c1965610b63e488202813cdf51c26

SHA512
d65baec7023f89bcd4f1ce9ea6ae58e633230d48260e020df084bae2301011d525555509e8b6460a91ec5105a990a64945241dbfa92f8bc1157f18c5678a2c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
859dccb6fb1c6674cf6a0334ddd8562a

SHA1
7747e6e2b19bd951069c299cb5bd286f2a153e4e

SHA256
b174fa1337b759044af8207d7fe5acdf98c48d72716c658bec0c45f1312dca58

SHA512
c87e572c9356800f561405177e84fe70d05deb80f4c298f0f0e0aaba871581d310ae5be276f0c97353bd76abd028e1b35e2ceb7f96d2ffc2a9dfe9ce8b401f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66c3b72ccacd2832e3dc23291daa002d

SHA1
13a437a4d92395f422a2f6009cb16d5454a92d21

SHA256
5c4cd1dfbd4d86aafe17a6f60b66f5d396e4c586ba4ee34035be57a00ce027af

SHA512
b9deecdf375d8ce0a1d89504c1e9bcfefc9c1503dd9088d3d72cc1945f3773de1f04531c2df6867751e92c8732cf60c6b456cbc7089af0f011a85ac5369276ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f466c012aef6cda7f6a3379e2582589

SHA1
35f888801eb5395eeee1c086f920c3e584992cbc

SHA256
63e56d8317808f28452d7a3b02d1cb351dd2a148ad05058997281759884136ec

SHA512
8a730a0f311f64a5d7cb3a34acc699d82d09f1acc86a028cf89283695b78b3a74abd103968df0ea4e88900d5332258c27f6eabff47591841fc08b67d104a90b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
35b51b8cd51f5a9e6488cd3c4c78cc2d

SHA1
74dea4dc4207532bd34aca3ba35bfe46fa8957bc

SHA256
d07fb0d0e7faa891ce05a2f03f9e6ce32c699d105e12aabc5738876a96c51a27

SHA512
5ab73f9763405537a3d7e8cd2f78dd1624bfd884f94668816475539c9fd8216e7e4143ddd34a4a2e3462497b462fef6768a5b8b8f511d4f36a94b38073ec5d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e09c4a05a2397a9b482bdf083926d98c

SHA1
6d1f0642eb6ae55a09d6d45bad774c1ce7aec86b

SHA256
8176f01698a4eba1d923ded22623fee304deaf54cd0627a34df85ae594c50fd1

SHA512
045f947e597be1b0f24a0a58ae92a9af64b8917d638c8904f8581b4dbc2a5b95bc031fffaebc3e90aa6970cc8fefb5e619b4eec3241576af661ce798ca427b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
65cc162da580be0a2aab5d70727cf7bc

SHA1
17bd5373a5d11adf8d71325daef1eed125413bd9

SHA256
c81be57f8e5eb5ae33b2b90e2eb7e959ec5ac1cc03eaea304134c9f95cac977d

SHA512
2d5c97858ecdcf71d46203c6e6ba58b702d8d58297a8feef8b8de7efd3cf43ce8d1b0ff7a47f95e14e630db60ec3eb72384776ec0ab34c6b3cd6cd6c450e93b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5aa5d7a40b394411c4a97d46b5495200

SHA1
b6f7b346cb26014914f3a7de3fb7eb45aa81d306

SHA256
39048828a89dd6bf9f2a0cc7ea9fa4eebc819d08d6515527686029e7cece3cd0

SHA512
f6432172bc7cb96a1d480b0aa57fea260c1043a6238552f828901cc8e14480072c67ae64dfca6bb43ac9f7bce5cd505f2d9ede13c9ccbf282bdd91500b737120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0fd5afacdeffa8e705f25c853cfc2fd

SHA1
75ad762dcc931fc29b8503134801f804bb4f2ed2

SHA256
961d90631a2ca160f8e5c8b6fae8eedf890242e8d2e9f9e98e09bbbd61cf470a

SHA512
801388e4eb93c9bf44434f5b2504393172d5e6d820f2e0e34290e1c532a6b3f7eb3ddc7890f3ee1543f8c121c1d6544bd2eae79fa9ac4c53c4cf5f7640321e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e0a1b41340c00799e37b38994699c39

SHA1
53e4b0b4f56b2b5331b974a59ff0943f30a5bb03

SHA256
303da750be28d486c68caeb8f346a233d51ae83392dfeef07ec774c289cd2ba6

SHA512
c747a83b3ebd096c64da861ad3ff796a4bbdf897d7ff5ef47a82b5bc5199bbd99c28570b8ecb438249b47459a409be6b6d83cd3c9afb0024982ac7d8e6a2a37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b80641dc6040bab59de7780db27b825b

SHA1
14783a60a04f15139cd2aec2951a4af5c938205e

SHA256
df595392cf16ab16419bfeabed67217c006188045197d8e9ba65a14ea3339826

SHA512
42b9038b7b485dbc7efc697801b019bd9a4996ef745901a7068b3e8a2bb8408cb066cb727c317513a38ecda0a5649ed1f23653e65ce87c3fac813356a9b914df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4bf7144d90e5b2723bcee06c0ab21fe

SHA1
d57e01ebc1f1e859a4ea8fabad47909c7c2d7d5a

SHA256
09e530106a35be8da4199fbb5af6068e6fda45c562752b7319734e0b95b033bc

SHA512
e3135b0aba874d4642d16cdab2a0b24ee7b2e72359c8eb651e22800b033e142f72cbe5e9670ad901f6489a5ce8242edfb674da9b0eef9718e987fbc7e65495af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51e7fd3ea47e01fae827e36ddc46da91

SHA1
7fe07fc1695dfad4f4d0c661eb9936a2478c10ca

SHA256
7055ec32f2abd8b01e2a96db131110209e83a0445e1758b286650a257c134643

SHA512
7265c01932d381f6237de7c2b9b4e1e6d082101f45d78f194a7fe47bf381a7750d76a65b9fa68a84aca34c95a0549125fe137553f85cc5ede41b00faf23887f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdadc7d35ae70aac2976ebf732ad2816

SHA1
e207e7b2cabd8d12b92840da1df72d55470229b5

SHA256
33a8944032f8dde53bdee57c49add3998b2d2e40825b214a7ce8762e32de6c62

SHA512
f81df4e17953ad143d40daaa24ab082fe53160a2841b8021736fedb67e351e757a554d56642b5b6e8d503f28cf632ad2705ef5a5c466c71b72dee6f19a92b467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1320f5e7d667046b84a3d78a52643599

SHA1
9823374071e0ef481f549755b6e24a048ac9ae83

SHA256
b23a5eb0db0acbf3cf9de17b8ccf8e6c4518e72882a496789587c216b096da33

SHA512
3b94107737d938614be5a2ec519584ff2e9a2e8893a36bf3705810d1189f91f276de69404a02ec24c5aa9ac63826aded1911504a7ded58cc8976d9c2d2cfa8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f6c4.TMP

Filesize
539B

MD5
05bcb03ef6fcd981b0294fa9381c2471

SHA1
55ce7a6401eba8dadcfcb896f231f0637782ada9

SHA256
cd605320f9ce5d9b1d9385187885e092a30cfcd0c646052c0d0a81cbf9ad0d88

SHA512
afbd9d980d1b2d00cd30ed8a20948bc0a30d9158ac71c7a72b2c093780ce42c27b8c1e13c7ea3c1a6b70fcb6e17bc1140f217de4cf55282a083e91417305c75f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68e65858437cca0704766370a08be5bd

SHA1
41aa6d4376170dd6d125959f23f176913a137ab0

SHA256
d5f27f9eeb54dab5c6022ba6456589f924affc7949ddbe21f5bdefa4011a0d00

SHA512
0249d2b229cdb48384c59960eecb5d6c745fd3949f8d2a00b6a5c1a986df13b3e107559a0e2839d63d6ac03e6b025e24eba540033d9161f9a9f36d78bd278988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bcd9e4935eaef1b40e63bb554a2c64b4

SHA1
2d788bca8268fa34b8d4e08d135f63d8bc728e88

SHA256
e0ee4a25926a5ea891de581b464187cbbc00dc47392ac74cee6f67b8630dd083

SHA512
78491b26e5b0a151c5b1d33ba437f7995be26bb983aa35938bda6a3bfe9df88900b2f4428a0007526ef58a69ae4fae9a3bc13ad18a2a35b37a44933dad89ae19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ff47d5ec-523d-40f6-adeb-9a46d4304781.tmp

Filesize
11KB

MD5
7ab47b6dcbe0d221b740044c12880547

SHA1
7b955e2a1c010674e4ae4507348f88375cc8f9d8

SHA256
89e795d0401f81eb8045e4127d93732ef2cf6258479404e70111a0458962c100

SHA512
0572e2dfd7f0cd7d5a5162dc5a8a4c279a2414d665bb424cadab7b5c515e7982a15d18bc390f5cc0160c8ca503a933624f802b4d1d073359ebfbbd3613510650

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\FakeWindowsUpdate.zip

Filesize
604KB

MD5
9e94a2a8c092b611420f8bfdbac7beb8

SHA1
38e21ee8cfa81fd26dabfb0923b108b54db6f409

SHA256
8f8f4fba17fdb1538ddff73763cf6bac274f2dd1fd53c4656d45f496ce690f12

SHA512
dc550716d82bbd3f44ad25f67d8d894d94e5cc1e15c996c9a6e3d9fe5fa9acfe5d2b9134736d72c4e2a72434298e6419987319242776e7bd68e0a87783c0fef4

Download Submit
C:\Windows\C922.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/1652-887-0x0000000002520000-0x0000000002588000-memory.dmp

Filesize
416KB

Download
memory/1652-884-0x0000000002520000-0x0000000002588000-memory.dmp

Filesize
416KB

Download
memory/1652-877-0x0000000002520000-0x0000000002588000-memory.dmp

Filesize
416KB

Download
memory/1776-1047-0x0000000000300000-0x00000000003BC000-memory.dmp

Filesize
752KB

Download
memory/1776-1048-0x0000000005350000-0x00000000058F6000-memory.dmp

Filesize
5.6MB

Download
memory/1776-1049-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/1776-1050-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads