badrabbit | hxxps://github[.]com/topics/malware-collection

Resubmissions

04/03/2025, 12:34

250304-pr6r5szybv 10

04/03/2025, 12:24

250304-plgaas1k18 10

Analysis

max time kernel
437s
max time network
438s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2025, 12:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/topics/malware-collection

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b130-550.dat	mimikatz

Executes dropped EXE 7 IoCs

pid	Process
468	Locky.exe
3084	Ransomware.7ev3n.exe
3716	Ransomware.BadRabbit.exe
3080	Ransomware.CoronaVirus.exe
4208	Ransomware.CryptoLocker.exe
4752	Ransomware.CryptoWall.exe
3052	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 1 IoCs

pid	Process
1500	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
2	camo.githubusercontent.com
32	camo.githubusercontent.com
33	camo.githubusercontent.com
34	camo.githubusercontent.com
35	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-addr.es
59	ip-addr.es

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	Ransomware.BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.7ev3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MalwareCollection-master.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5296	schtasks.exe
5308	schtasks.exe
5264	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
1532	msedge.exe
1532	msedge.exe
3408	msedge.exe
3408	msedge.exe
236	identity_helper.exe
236	identity_helper.exe
1624	msedge.exe
1624	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
788	powershell.exe
788	powershell.exe
788	powershell.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4752	Ransomware.CryptoWall.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	436	7zG.exe
Token: 35	436	7zG.exe
Token: SeSecurityPrivilege	436	7zG.exe
Token: SeSecurityPrivilege	436	7zG.exe
Token: SeRestorePrivilege	4756	7zG.exe
Token: 35	4756	7zG.exe
Token: SeSecurityPrivilege	4756	7zG.exe
Token: SeSecurityPrivilege	4756	7zG.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeShutdownPrivilege	1500	rundll32.exe
Token: SeDebugPrivilege	1500	rundll32.exe
Token: SeTcbPrivilege	1500	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	WindowsTerminal.exe
872	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2468	1532	msedge.exe	81
PID 1532 wrote to memory of 2468	1532	msedge.exe	81
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 2672	1532	msedge.exe	82
PID 1532 wrote to memory of 1088	1532	msedge.exe	83
PID 1532 wrote to memory of 1088	1532	msedge.exe	83
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84
PID 1532 wrote to memory of 3044	1532	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/topics/malware-collection
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca5063cb8,0x7ffca5063cc8,0x7ffca5063cd8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,13181282690268495032,12215263389735281431,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2456 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Virus\Virus.9X.WinNuke\" -spe -an -ai#7zMap19807:206:7zEvent22010
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\" -an -ai#7zMap31522:3786:7zEvent6632
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2860

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2372

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wt.exe"
1⤵
PID:3508
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2820
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:1180
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa50 --server 0xa4c
    3⤵
    PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:788
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo off "
        5⤵
        
        PID:4108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo off "
        5⤵
        
        PID:4428
    - - C:\Windows\system32\clip.exe
        
        clip
        5⤵
        
        PID:4340
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Locky.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Locky.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.7ev3n.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.7ev3n.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
      - C:\Users\Admin\AppData\Local\system.exe
        
        "C:\Users\Admin\AppData\Local\system.exe"
        6⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\SCHTASKS.exe
        
        C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5264
        
        C:\windows\SysWOW64\cmd.exe
        
        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
        7⤵
        
        PID:5512
        
        C:\windows\SysWOW64\cmd.exe
        
        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
        7⤵
        
        PID:5520
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.BadRabbit.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.BadRabbit.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3716
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c schtasks /Delete /F /TN rhaegal
        7⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        8⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 741991499 && exit"
        7⤵
        
        PID:412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 741991499 && exit"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:00:00
        7⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:00:00
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5296
        
        C:\Windows\4237.tmp
        
        "C:\Windows\4237.tmp" \\.\pipe\{79D8F8A7-0502-41E1-BAD6-86B606FCC511}
        7⤵
        
        PID:3584
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CoronaVirus.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CoronaVirus.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoLocker.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoLocker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4208
      - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
        
        "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoLocker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
        
        "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000238
        7⤵
        
        PID:1668
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoWall.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoWall.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4752
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\syswow64\explorer.exe"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\svchost.exe
        
        -k netsvcs
        7⤵
        
        PID:1152
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.GoldenEye.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.GoldenEye.exe"
        5⤵
        
        PID:3076
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.InfinityCrypt.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.InfinityCrypt.exe"
        5⤵
        
        PID:5052
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Jigsaw.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Jigsaw.exe"
        5⤵
        
        PID:4756
      - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
        
        "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Jigsaw.exe
        6⤵
        
        PID:3920
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.exe"
        5⤵
        
        PID:1956
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.v2.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.v2.exe"
        5⤵
        
        PID:928
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NoMoreRansom.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NoMoreRansom.exe"
        5⤵
        
        PID:652
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NotPetya.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NotPetya.exe"
        5⤵
        
        PID:4784
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Petya.A.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Petya.A.exe"
        5⤵
        
        PID:1196
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Satana.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Satana.exe"
        5⤵
        
        PID:1604
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v1.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v1.exe"
        5⤵
        
        PID:2548
    - - C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v2.exe
        
        "C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v2.exe"
        5⤵
        
        PID:3592

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.DD28355ECA9B248EB40A15815E609E005A2875F512A8EABA1A23C48D33C52040

Filesize
32KB

MD5
c1f1a88a9822d382b516143a8cd58a93

SHA1
f4fd3933e07ba730f7aabe3a66f3fc00aeb5c2d1

SHA256
7d1953c5521443a3e0446d785620397d2999a3c0e61bbf1d7a9e30209e6aacd6

SHA512
119cfe5cccf88716ba522d9f7c4c9a681d28a1febe0db8d9aa40339f757c2a27ee5ba0161fac05722d03bfa9576b594d2ebfb4cc81872c0f43384abe0899cdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b98903eec4d4ba62d58ef15c040a098c

SHA1
edbfd3947a194ddd1ee2e2edb465eb7a57f27cb3

SHA256
698d9fcc6775ee16a41017cf13ccd9614001c681b8a4da741a1851f1b9f48def

SHA512
ee53739c6c098c48a594768bbbbada27d9728034b85e0e67220be097007348162f257a31f0669bcd17ba142b10b110680c3b5b18f9c40b37e5fa1fe8124d27e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
afe073f7cd46dc621114e4f8757336cc

SHA1
2063f15f773ff434b375a1fe4c593bc91b31f2e0

SHA256
e54fed17731c51a64a17e37dc2511159e55b308f0a67939477494c15166ebffd

SHA512
bfe0b1bb10d93def5ed5104e8aac1d74991de2ad64042ebcb35ad43e3dc3bfdb47d126a3c6632238e68c8e227187ba05f81192b50843162134222446fdb0b25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ffa5aed3a82592da5f824e1923c9d24a

SHA1
4406a3069cc0c5acbf1fac8b512e89ddd4c095cd

SHA256
804e372c1b8183085c2fa363ae561b2ad600185fdc2ee46874655f54f98963e1

SHA512
03eeff570ec14abd8b4ad85c5818eedb84d19be5eeac8ae49a6edd6c94c099bd533f1031b8879467fa0a09d6910ca5b0b4fff7a47afa5a3a10ea9dcfe364a6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
657B

MD5
7618662a2a7ff595d99c17a84807a8fc

SHA1
b9777164432f570843d463dedc0d963cfe6758a6

SHA256
175af3452b59107f5580818989bdd27067a0db99b971fb8f52896bfa8e9a0db7

SHA512
cd19fa196c9eb2e4770d3fc9d3f10e115a93e019c65328998ffe09fae7c20bb2192261a43e8527f7a3db41b2488cd70d94bbd313eabda5b9665328c4ba100c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6747a2896d57402aa83dc0ab1e1f1ae

SHA1
6b5b21ee2fbdc81b4beb7910aaf02d875ab3d7be

SHA256
145f9da053c767fc437db28f7688e17f5ad111a5f6d286d2c3d6d9596c412f49

SHA512
f83e6205870689f0ebfd585a3a904eefaf9db1c90373979c60a91cc10847700dd38fdbfbbba9499dc8fe841224896469f793847696f91b620c3fff46edebd309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3330d0b5b2449cfe3537867439115ec0

SHA1
1edfa5e419e5131167b2e18d65a3f951e63b7875

SHA256
4f90b5df0aef96bdfa83bc4b9f1ed21da2ed35fed531030ea6c233dcd8aa95f2

SHA512
d91988d595d6318748f70a6a2b54df018f3ebbf6a6174b5d7509d34def4b68045fd3c66b974c9a2c7afddf7789d73eaedd8711be968d3f211554114a49f6cc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31d72c8118ba2d2f45744e6aff765a5d

SHA1
dad691addf977b5b60f9a92ca83e7517e47eecde

SHA256
3536f18af3990137aade48787dd1b2d528eddd7cd349f137cc54b34aa481cf3f

SHA512
d94cf1583f151e201b3dcd8d5964cd6241874dfb9f48ae269ddf630b651608de091e0e0bc8a15900c3926eca9e9d822c0f6f59fa64472001ff10c994a40e5bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
279cf2cf234dc6efecc042a076af3f92

SHA1
f65ba2e8eb08c8a646a7d9951f3d34d6a611d7a2

SHA256
8f012a51383a6a4e3db64ee9d33e6d236e2d899712709ae444d328896ac85f0f

SHA512
f58920574b7e159f6ff58167dce25d935c243cee077407f8c40b33096e1fc731848e9ee7962630c4bd57e765105a34625c7dbd7036c5b08b973d97f4599e688a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff20.TMP

Filesize
706B

MD5
2239c1cd775135c9227c541db2d57417

SHA1
41417c6ae451f0e4239ae76983b8f28f8959e025

SHA256
a69c1c20a26d25553a91f7b5962dfa7afbb0919ddf0961588d3f355b68210daa

SHA512
3562d3acd68c46d8218f0e5dc2e7ffe73db067760291188e167c2e7bbbdbda9bbd110911108c877a1577be437e600f8dacf0c0d192bfd1d0d37b74a77df30439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ee68c620a9f3badcefedb4d2e5f03a6

SHA1
6067038e6466d9c289a189f5aeb8a1aeb4d45d26

SHA256
9ce79234c90c64be12d772c3a5352250009f4867c232b5aca53c35172cfde206

SHA512
d933efa0bc973afc32021de1003ac294c2a78ee71d01c2c16bb2741df5a0bd4d377b90020f7e093024add3f4fde3b3b316922063f1ce3b57104b6632b5529456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec68272d86403dedf4ffe293285249b8

SHA1
73911a28ca98870f130985961c6c696e5e820849

SHA256
1bf3e16c9c248ad0697382d5dc5d4df380912c76d3f8304071dab6ef57c077f6

SHA512
10137446cd2cbc0ecefda837a7b284a5495d24f0d09b0b9856e735797dc18503e922127fd1cf5340e032df7f46d17084fe4743e2208c7479d8c09acffebf69c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5eefb88d23f75785ed39b5c5c2201dc8

SHA1
770f878e850cf216a28327c03766ffaf9d2e19ec

SHA256
4b468eb86b248e1d321adb090bb1417b3fd1e5826c923980750c6c04c256b084

SHA512
cbe727969bb29dfb2e64d064358dc933ccbd4e77429fbd6936f896bdc4e74ba2ac4e5303c19b20273ee7aae6595f2cc75677b8742350064e025a723fe2493a7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\fd849cbb-7562-48af-a104-4b100ff8e97a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1k0sgdra.h31.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
03879716db29b6bf4c06b5ceb5efb616

SHA1
d458cb848fc1419fe5f8e8d7a7c9c70cdc4ad0ca

SHA256
4c435b0d4ce8f2cb7347c0f3fae5037933948b116142b5091e12bd9dfccf074d

SHA512
cf21a642116cf44f5cdf0b859d2aa1df65ef46eda148f1ea0dd901a59e0cbd5c1cb874712625ea810a4aca17bd7af623aa16af8f809baa204a74e2b6153c7f59

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Locky.exe

Filesize
180KB

MD5
b06d9dd17c69ed2ae75d9e40b2631b42

SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4

SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.7ev3n.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.GoldenEye.js

Filesize
365KB

MD5
b569d40e0084c0fb80078fbf808f516f

SHA1
2d18d4c3f7cb914faea39553ffd8ed7e1cd4151d

SHA256
c0adb85d67ffe4663e065b195121a43fadb9c2930c5a0d20a032acd31a64fbc9

SHA512
313373938c0b28ea528a6fb8b628f3f80e677db9a839d0dbb082c2c092087c632674f4d5d4d46aea26a48239bb276a8d7d2cfaa14b6c26e16b6cf95813dc0fbb

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Jigsaw.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.exe

Filesize
878KB

MD5
8a241cfcc23dc740e1fadc7f2df3965e

SHA1
1a5faa5637bec9805039a93d6e199bac26fce413

SHA256
d4b6524315d5de727a8af3e4e73e8b28dab27c62fd0a6a7a891460061c2f3d60

SHA512
440528b7f92d6703f008124206b9afce3d72efd30cc31b67386fa515f939b72a7eb8afe0b0cb81586680708948afdee021e33e9e5310b59aa3ab2bbdb2128318

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Mischa.v2.exe

Filesize
279KB

MD5
c8623aaa00f82b941122edef3b1852e3

SHA1
1785230107633bf908034ef0d5403367765bcafb

SHA256
ecc5cc62c8200954079191e586123522f88aa1414ae98908380176d75d2e7eab

SHA512
4223cdb0734ba3d9055503b73e1c69a94299c345c19aca52ef85d5eefcb7715756b8ebb92c9c462030d503af47653cd6182e1e14d04cc32309c6200db458b3d6

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.NotPetya.exe

Filesize
366KB

MD5
e5cc289b0b2b74b8e02f5a7f07867705

SHA1
81a884e16a81979c7fe56e61bcfdb94f8bb937ff

SHA256
6497eb7e530ccecce0bc9d8a0771221d7e980b7be875b2b3969110eb8b8f2305

SHA512
4cd22f953ce44d6d960dbe2bf651ae01fc865ec45742450a24a15c6f6b48b825b7979dbf287bf87f8290344f7bf5bf69d1c1f762f2e81a27d1fe0997712a5d2f

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.Satana.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v1.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\MalwareCollection-master\MalwareCollection-master\Ransomware\Ransomware.WannaCrypt0r.v2.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Windows\4237.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/788-418-0x0000023BFBF20000-0x0000023BFBF42000-memory.dmp

Filesize
136KB

Download
memory/788-427-0x0000023BFC340000-0x0000023BFC386000-memory.dmp

Filesize
280KB

Download
memory/928-497-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1152-512-0x0000000000D20000-0x0000000000D45000-memory.dmp

Filesize
148KB

Download
memory/1500-462-0x00000000027E0000-0x0000000002848000-memory.dmp

Filesize
416KB

Download
memory/1500-524-0x00000000027E0000-0x0000000002848000-memory.dmp

Filesize
416KB

Download
memory/1500-454-0x00000000027E0000-0x0000000002848000-memory.dmp

Filesize
416KB

Download
memory/1604-513-0x00000000011C0000-0x00000000011E5000-memory.dmp

Filesize
148KB

Download
memory/1604-471-0x00000000011C0000-0x00000000011E5000-memory.dmp

Filesize
148KB

Download
memory/3080-452-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4756-498-0x0000000000A80000-0x0000000000AB8000-memory.dmp

Filesize
224KB

Download
memory/4756-501-0x000000001B680000-0x000000001BB4E000-memory.dmp

Filesize
4.8MB

Download
memory/4756-502-0x000000001BB50000-0x000000001BBEC000-memory.dmp

Filesize
624KB

Download
memory/4784-565-0x00000000005A0000-0x00000000005FF000-memory.dmp

Filesize
380KB

Download
memory/5052-511-0x00000000059B0000-0x0000000005A06000-memory.dmp

Filesize
344KB

Download
memory/5052-496-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/5052-495-0x0000000000BB0000-0x0000000000BEC000-memory.dmp

Filesize
240KB

Download
memory/5052-499-0x0000000005DB0000-0x0000000006356000-memory.dmp

Filesize
5.6MB

Download
memory/5052-500-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/5052-510-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads