troldesh | hxxps://github[.]com/enginestein/Virus-Collection

Resubmissions

23-02-2024 09:30

240223-lgpt4aef92 1

23-02-2024 09:26

240223-lekglaeb31 1

23-02-2024 09:18

240223-k9y3sseb2v 10

Analysis

max time kernel
359s
max time network
335s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-02-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
1988	Gas (1).exe
680	Gas.exe
1272	NoMoreRansom.exe
196	NoMoreRansom.exe
4152	Gas (1).exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000002a8a8-695.dat	upx
behavioral1/memory/1272-949-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-950-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-951-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-952-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-953-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/196-963-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/196-964-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/196-965-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/196-985-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-988-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-989-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-990-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-991-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-992-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-993-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-996-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-997-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-998-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-999-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1000-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1001-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1002-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1003-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1004-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1272-1005-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
31	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3594324687-1993884830-4019639329-1000\{BAF11AFF-6C00-46BA-8F9A-12EAB4B8B14F}	msedge.exe

NTFS ADS 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 241387.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Windows\csrss.exe\:SmartScreen:$DATA	NoMoreRansom.exe
File opened for modification	C:\Users\Admin\Downloads\stub.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Windows\csrss.exe\:Zone.Identifier:$DATA	NoMoreRansom.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 211104.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 374260.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 873274.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 395045.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Gas (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 675570.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
1160	msedge.exe
1160	msedge.exe
2428	identity_helper.exe
2428	identity_helper.exe
4352	msedge.exe
4352	msedge.exe
4076	msedge.exe
4076	msedge.exe
3500	msedge.exe
3500	msedge.exe
488	msedge.exe
488	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3916	msedge.exe
3916	msedge.exe
4372	msedge.exe
4372	msedge.exe
4028	msedge.exe
4028	msedge.exe
1272	NoMoreRansom.exe
1272	NoMoreRansom.exe
1272	NoMoreRansom.exe
1272	NoMoreRansom.exe
196	NoMoreRansom.exe
196	NoMoreRansom.exe
196	NoMoreRansom.exe
196	NoMoreRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 424	1160	msedge.exe	79
PID 1160 wrote to memory of 424	1160	msedge.exe	79
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 2924	1160	msedge.exe	80
PID 1160 wrote to memory of 3100	1160	msedge.exe	81
PID 1160 wrote to memory of 3100	1160	msedge.exe	81
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82
PID 1160 wrote to memory of 3400	1160	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb82f03cb8,0x7ffb82f03cc8,0x7ffb82f03cd8
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3996 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6904 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1732 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Users\Admin\Downloads\Gas (1).exe
  "C:\Users\Admin\Downloads\Gas (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Users\Admin\Downloads\Gas.exe
  "C:\Users\Admin\Downloads\Gas.exe"
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1804,17724584301749988517,14087781893494233029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1272
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:196
- C:\Users\Admin\Downloads\Gas (1).exe
  "C:\Users\Admin\Downloads\Gas (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7078c389-eecf-47d6-b1e8-345c52e2e4ca.tmp

Filesize
1KB

MD5
12d25ee9ae722ed75dcb75a8a5b14bd0

SHA1
ad8cfdc50db06c5283efd643f10aa2a6cbe75746

SHA256
3167fc481b7ec7f1c590a23648f7bc59b31331c0eae790c789406d407309c8ae

SHA512
2ceeadd8e7582e974d5909e31ca3524665ef7bf8e96e24f8c49f5264d177fa1580be8105e08d023a7caed78e5355b7d1bdb442323f946dff21f4012fd8ace21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\99a67a47-c198-4b9a-9e58-6580ceb38689.tmp

Filesize
1KB

MD5
f119e9da849efc478d4bc24327fb8805

SHA1
3f661c93a78cdddb6cf2928689a04d1a7947f9af

SHA256
2279b2135ecd8766ee0312712943fa6185494d79e4746b7c1ef304decc49d906

SHA512
8979d2de7980f5336d630c1aef171519599bdd61d41fefbfc26f04a732cc33a2daea04e64415d19ac831a77e2485e7ee7bf2cbf981aabf8814ab6555d6e8784b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
08694da0d92c951e5cd6ece539546114

SHA1
a05d4f113ac2b40696eb5a57008cf5ae473753c8

SHA256
fa9adc36599fc997545908451b9d28fa2786fd8afb25f6a0752c1532dddbe96e

SHA512
70d3419b048fdf2e396fbb0895c7f7457db2a9ff0802aecd77f9f0eda7d77cded17559e11e545f5c35a5b92842ea9743ab25e4cb7b370eced4d64d618b6dfa41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
911842bd3dfbcbf87b3600fe888b8b56

SHA1
e5ab7389906f61cb8066f6e07f28dcd44d943f2e

SHA256
52777c8ab053974a9d92b79e91a00e3039434fb9b04e8130a2b33edb7b522625

SHA512
7a28ac5e6d5520e60a6fdf573a5b7c34f8af6b5276484236f95c2ac3cbd780f18d048aeb356b8708d583f3a39ec8c0e6c51c77a4fdb1074a33bb35b64dfe241f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
786B

MD5
f3bc236faaefbd1a795838cc4d027de3

SHA1
7079ed8d99ba37bb879ac443d7701a6fc2b3db7b

SHA256
150f1b394533d04ef60b888021ddd9601b9f10ab6616f470e55194e459d18810

SHA512
73b954962d7c6c3877e7dd183ff9c098b46e2e2ee8c517a2dce318428264836d4cca4a26b4841886f84ea97de49bfcb9d0255da52fea1085099876d307aa87cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
936B

MD5
56151b783244b345e6143eef84f539bd

SHA1
35579a6b93004d382b3e45640f8b5d0937120e22

SHA256
47cf95a0de5d99e99d262f575ae7caf0ef70a741d26a72fd0f5c558f5677b48d

SHA512
89998613cebbdbc92ca0c760710ec02e9168960531caabd0f3f02d9fb85654e754ee0b696bedd7826c300aa37aa9008442533f9fd5c5d5e985f3fb3372161864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14a0763783ba46620776883cba1289df

SHA1
0522876529509d77676742d20bd06eaca9211a84

SHA256
1a97265fc8150bff92702a2ccae6212965dd04f445b651615747b87219401746

SHA512
81c22a24fe44043fd388a598a13632bc42bd05ee94758f221aa32f45c9981f6e7f1243404a28f9de40b551a8ba3d24b02701e9b239c8c4bc801fa222dfcc3f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
276adf9043415d8793174b6acd2ea690

SHA1
c121699611a2648d941eef6d7a9b0d5a6d820caf

SHA256
bea229177db8f2dd7be87a9f536ace71ea3cf6e8d4cb9ecf97121a88fc6bd5c9

SHA512
db42e490dd4c7c620755c2e9043df8496f1ff784848700b52babc114751d6444e4b9a902d95a81cbd9c2c77e06a68e9143e0700444ac0f5f8b031a9948be8fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
21abdbdd78ea27ec1e0c9bab6e890c44

SHA1
3836e2db6ba575bbedf7a0a94cc381da25f8e20e

SHA256
11c15a9502d97945c7f7a86c9cd9b1f0b072241333eeb6e55889d184a7f691b4

SHA512
9f292ec4ce97eaba313f623e8949a57d8502cf1579ec19d77be99c73a306dddd2f0ca95c761c2db77d2980bfac13a8a07c6f7446a15ca0750284dae75c0e6c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb25c1a156197fb9563b7392196431cd

SHA1
454126cd24f497560bc1df32f86a11a6145c9058

SHA256
2f1b456ec210730e7350413606fcca4e9bc12de590fdd607225415dd9da025f0

SHA512
73d294e0ae264e680ed0673addec8f91178115ee6f30962df7a6d1f9ae56f7f4ec7b2cb529d8738ac60961c92873b3e335351b6f3b4b34c8352e6f343d1f003d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9488445944bb5d9ba46fe4836d73ccce

SHA1
b66b8ee674d4c39c4fb832d92e501ee03d7f9a57

SHA256
d7b0e86c1c28de0ed6e3e928366484090ec0b4107cd1e4690a734ac34e424f3c

SHA512
a6080c8db971af45f0bcb420c112a2bf833058339e508df29155b1ecc3d36e65f119dab10ed237355c50fdbd8fc7e1c9dafbcc273b72fb27909c95360cd282e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
761b7319fd99336df3d91e3631278478

SHA1
fd3d86e882149decae8e14934ee02305af711b1d

SHA256
73742d49d15f9d3b19935be612861baac47def43355a3ef5da2e63a042dc7144

SHA512
c36cc4b9dfa4bf02153470ba08dc57e8e256b092483dc69531507f43aa40421f9bcd95875ae1cbfac11bcd9344c4f93a9f3ae1f29c94e5c5728bbc5e6a7972db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07d969cf43beafd6292613d990c38221

SHA1
300312071c62d7b373c13db86751c2937d64350d

SHA256
577d8157a4a25e81eb3d8f40f3157d9f410a90cabcad863f2d997523c863657b

SHA512
493a0e3cbc1352bffc7309912314dde0b42950b9c01fc034ffc1a2920344cf07e8578e0ff3b9227a091fd30df0cda5d6969cf827f19cbf2795e071ed3027b3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5887893894397da2b9a07bf936a434b5

SHA1
d93024b3080327249625d521dc3792e06df38da7

SHA256
b132ff12461d6cf1476484bff155c55df58d1ae2571c63cb5c6bcdf78d25596d

SHA512
6d2b1c19751fc248eecfdbf3dc0bc8a9cb3b3bfb38ec13dbcec809b38f4d6d2e2f6ececabbc5583b2a3749f0a3388a9238426ab2791740c978d800a7f2371afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c111ea7231ea0f0a779fc1407d5d0300

SHA1
f5a1db6f23196f42f62c913731036c3d914b7e3e

SHA256
898bf2da7632465a3d3185c552b6f04c6e39a55d27b051393f86b4cae979874b

SHA512
9924263d6bf12134a9fbd31432c4268006c51252ce4fcb427e44980c767bf04ee81266a1907191d9c56c35a338cb41180907e58066228102c6a630f72ea289da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c0f1cf05be8d369c46eda91823c8fd74

SHA1
fd651c5eaf327b55973c2d043a714c8be8abb159

SHA256
ea90eb83cc02e80aabc80b9b24a48ebf17b04720e2263b5d4a5d5b9a7fb4ddbc

SHA512
e1307d26c0f3f6dd4aff07c300171bc10ae5547e8adfd90b0054dbfc439038d75143679f4e2bf7dd5782d20fe44a85e2d2685fad7b35cdc1e39b50beacb05a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
fd35ed63317b36596d61930bf575d503

SHA1
9dbb99cc6b2080a138d7a940ae027ba759ed6d49

SHA256
89277a02ae79ffe3a02e71a28c5c42ffe4058f6ee8c0972aa5da0651977251a9

SHA512
59020bc560ffd7057a25c389d44757ffb34cc49f73e9fb2b7e064a096652f4f9971169b5e189e03ca1584e21f377b70edb1d55357eaf2ae2c36759562e636f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
58b0ed61111a55f379d82fe203e144bc

SHA1
04269758c3855480deb2af208a2985208760503c

SHA256
089cceef2fb366fff26a3a6ffa954fd99a63cc5280d9ba93a2e5f9a91089400d

SHA512
1c7796b1c947346364010f885114e43dd240e55bea6cf3fb85fb9ef9c2bd7d9047706aa097041941e09fb07fb7d7892f4c064294eebf6561434442ec7ec0cab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97402221b57866624418c42afd1ad6f4

SHA1
01ca951581ce7fde4e78f4783406d998fbaf3ed1

SHA256
5b5587a51a9b9df06dea1893a77e81d554d7bfa9217ef65fdaf7880566ab0752

SHA512
4015f262d247fb771b9b8333c869b818223b25f42f01a40c1b836a60fc68cae64188cb44ecb4847dc15f071963eda4390266848c65a3caf890f4a794ee7224f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec35.TMP

Filesize
874B

MD5
d46edc9bf3ed5260e055831fb59ea9fe

SHA1
a105bc1dbf1df3881238a3e007126d510e9a3654

SHA256
ca1f9887b16b3e3a2d5e16381aaba1d57443c760bea7ad50d4db4a78e34b913a

SHA512
09c5a1223914d274b771af414b7dfc6a8e6c8d31e531754b7adaef41bf6f1dd2d7139bec9a375b4989ac1c7a27efff94aee17bd2004ee85a0a64be852a86ae25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff7c4aa662f4bc29255246d43e25fba2

SHA1
7def8f3b26f7484f73b9db2e3b219fbce146cfa9

SHA256
62e4f2371abb8b8e6df04b0aac5dad3276ea3ab6488eabe7806e0ac26db69b88

SHA512
46b67285bed0856838e08f2652f7675f75417be3bb9fc18560d49f079fc6d3820321254f65d6d87d33061ae4b18cc870da6dc6ce426ff958616377e34e14edb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
eda699523a9d2444682d486828793a85

SHA1
3d620c6f3c8f2dfe63ffaeff4c6896e9f092ea5b

SHA256
f9a803bfe8a58e2eba559bc65ec9c4e87246c92379c40fb006b86eecbd0ad265

SHA512
23c0302f7feae89e10173f022c6f8ab80a9606271488cd1798e60a9e83a28b8a020ddb74cecb03ddfaef10e2f6a432f6909222d2f2604fa86e564798b3d42b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c46a58a66facc8ce09123963e82deaf8

SHA1
f2cd4eed27d041103fb6f62c7fcb2741dfe3dae5

SHA256
6f2ccd9e76716f6879c885c88606696fb3ca791a40e3ded0f0064a29d85e2ac5

SHA512
62bc4f130585027d490cba4ce1e6500affcb7b73eb74ccbbf737b58eec5ee06fd7e412e1c1d6c1ee36c8cd6487001ba075ab2983525bbc7be4a6d33a09039d8c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 211104.crdownload

Filesize
64B

MD5
5d9e0094c47b9de4473bea1d966c4f96

SHA1
7a6cd7ad7bcb31b6e87b2fc8ec8ec5e2dc3be55b

SHA256
cb1f493d64d2d4fda06c3ee8a1aed6a1041255d192fff223b78cf5645b371dcb

SHA512
016fd7a366a414f74c7388c499c27eec5d8a547e03584feab00dfabd503e25b6c63ce94ac82e3a7ea4b090410d58944d4cf4d4f12601e6af521619a361b22a5b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 395045.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 675570.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\VeryFun.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\stub.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/196-985-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/196-965-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/196-964-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/196-963-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-953-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-993-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-951-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-950-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-949-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-948-0x0000000002340000-0x000000000240E000-memory.dmp

Filesize
824KB

Download
memory/1272-988-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-989-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-990-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-991-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-992-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-952-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-996-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-997-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-998-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-999-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1000-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1001-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1002-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1003-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1004-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1272-1005-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download