cryptolocker | hxxp://chrome-error[://]chromewebdata/#

Analysis

max time kernel
810s
max time network
810s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://chrome-error://chromewebdata/#

Score

10^/10

cryptolocker troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInfected_newest.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInfected_newest.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e28aca94.exe	explorer.exe

Executes dropped EXE 10 IoCs

pid	Process
4488	CryptoWall.exe
3092	CryptoLocker.exe
4624	{34184A33-0407-212E-3320-09040709E2C2}.exe
1960	{34184A33-0407-212E-3320-09040709E2C2}.exe
4968	NoMoreRansom.exe
1436	NoMoreRansom.exe
2116	MistInfected_newest.exe
1188	MistInfected_newest.exe
1504	MistInfected_newest.exe
1524	MistInfected_newest.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4968-1001-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1003-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1002-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1005-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1017-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1436-1019-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1436-1020-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1022-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1436-1023-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1026-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1030-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1050-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1073-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1092-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1111-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1112-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1134-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1175-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1203-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1236-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1246-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1256-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1266-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1276-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1277-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1278-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1279-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1280-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1281-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1282-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1283-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1284-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1285-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1286-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1287-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1288-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1289-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1290-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1291-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1292-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1293-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1294-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1295-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1296-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1297-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1298-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1299-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1300-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1301-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1302-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1303-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1304-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1305-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1315-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1316-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1317-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1318-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1319-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4968-1320-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e28aca9 = "C:\\e28aca94\\e28aca94.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e28aca94 = "C:\\Users\\Admin\\AppData\\Roaming\\e28aca94.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
97	raw.githubusercontent.com
98	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
164	ip-addr.es
277	ip-addr.es
387	ip-addr.es
497	ip-addr.es
601	ip-addr.es
693	ip-addr.es
106	ip-addr.es
108	ip-addr.es

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{C1C31C00-498A-4617-B0B7-0E3A02B477C5}	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 977530.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534793.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 370267.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 428333.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 243360.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 366091.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
4924	msedge.exe
4924	msedge.exe
3472	identity_helper.exe
3472	identity_helper.exe
1084	msedge.exe
1084	msedge.exe
4916	msedge.exe
4916	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
2176	msedge.exe
2176	msedge.exe
1528	msedge.exe
1528	msedge.exe
4968	NoMoreRansom.exe
4968	NoMoreRansom.exe
4968	NoMoreRansom.exe
4968	NoMoreRansom.exe
1436	NoMoreRansom.exe
1436	NoMoreRansom.exe
1436	NoMoreRansom.exe
1436	NoMoreRansom.exe
2964	msedge.exe
2964	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4488	CryptoWall.exe
2372	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1652	4924	msedge.exe	83
PID 4924 wrote to memory of 1652	4924	msedge.exe	83
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 4908	4924	msedge.exe	85
PID 4924 wrote to memory of 1492	4924	msedge.exe	86
PID 4924 wrote to memory of 1492	4924	msedge.exe	86
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87
PID 4924 wrote to memory of 2792	4924	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://chrome-error://chromewebdata/#
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb34c46f8,0x7ffcb34c4708,0x7ffcb34c4718
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:4488
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:2372
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3092
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4624
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Users\Admin\Downloads\MistInfected_newest.exe
  "C:\Users\Admin\Downloads\MistInfected_newest.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\MistInfected_newest.exe
    "C:\Users\Admin\AppData\Local\Temp\MistInfected_newest.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,13704499091228097402,4196844803879154599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Users\Admin\Downloads\MistInfected_newest.exe
  "C:\Users\Admin\Downloads\MistInfected_newest.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\MistInfected_newest.exe
    "C:\Users\Admin\AppData\Local\Temp\MistInfected_newest.exe"
    3⤵
    - Executes dropped EXE
    PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
60adcf9f9f32fd5d4f926e864c984c07

SHA1
6edb5d596d12692cf4a2c78d4c4fbbbd7e5f65ed

SHA256
a841d0308d40c807537e658f01bd2f72a37b52c5fcf4d5486e7f93e3b306d268

SHA512
fe21639479fdf92bb7893b1e83061f3bd870ee0311dd46494524f11c99a00e5e0fe6498bb2080e8fd56dd9c104150c26e3459fbc9f55f9904f1712788b8fc5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
464082f09ff27df74820c00de49348df

SHA1
23523946f68da13f71447f968ae6bf949e76b9b0

SHA256
548de9f7e2302087a9dde259ad3fb978d21a4cb4940381da8088810c22dde018

SHA512
8877932016b3802fd090b0e7b2c5a4ba1a91d27c6652d2fc03754d33002128a815a6c7d5367ba5e31635e697e442225616f30d89df0c99726ab1cdd1fba16dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
948B

MD5
0b71b38c0cd2bd22c7dfd3e0d0b8eafa

SHA1
5572e97c72920926fb21e4240b874163d63155f4

SHA256
a8179032d2d2f163c0a7ba12504e5d4a61b535fd25066ae65a7b2f6b79d910c0

SHA512
82e4a6cec7892757e704c96ae1a721b86724f531a0fc34e8be12606b741670ae46b735fff235964ba34b314443bd331a60358e8f1794639ed5f25363bb4f7266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
484578b1d17a16b0dd5c3f95ce577ecf

SHA1
83cc9e6c1fbddb855b210dc585e55c2c99929202

SHA256
f824c7a688d75562bbb2350d18788a4ccace1c3f0988dbf194c9e23152ce9b46

SHA512
5784a7db161656cd67906c8cda02b683c1678721d73f3c8446d15d333b76b8f2244a312c95aefc0fd16388827aecf5171e38c337fe40cc858ffc091b5189690c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7463282c583707097d555e1cdb363cfc

SHA1
6d104fdf2fa277c41d49a4027ab6c85a8e240612

SHA256
32c5e02f1a7f80695e57d557b765f985cfdabfd038ab684852cc9598424cf555

SHA512
466c6bf41d3ffdf25e1a768514d6cfa139c5935ead577208a5976c5de4e7f0857a00f21a9e787f0345eaf75f9cda2bedeb5a03a28857778a947216ef04b248ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f7bdca7f2a111e9250486c51283a7c5

SHA1
3c4c7e1520cfa1048aea16f5f70a65354df9aa04

SHA256
e654495de2bd7149f28a5f5199e3261702887a2ad85b39e1400393d90ceaa268

SHA512
b013ddb624d5db411fe1c599d7b611a996b7ee5a49058791f5e10c811f975b4b3d65c8b354b5bdf3c3872db2a81394c3d65db2497557109598273349bedca7d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7e01bbb2faa78024d1476bdcdcc70bc0

SHA1
d72c4beebea9174627c20cf08e893b78bcf99218

SHA256
604b691e41b92da3c66623f489827e1e195bbf4ecf78635fae13fc265d3d48ec

SHA512
825d6c3d43c2a3a137a0e8cea40732b0a61664ed4ad86dcc770e2f1370fe027b03e325674445caecbe90d0e3f28657b94a9bb7df9ab19866d609512839841789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb742bc98b9ba26e3f4bf236f9b70b1e

SHA1
d78369618bcabbb647c35e3891d9ac4535a7b5aa

SHA256
3ea3c4ef78e61674780469e74cb85309fe30f83df62ffa8f3d7feeed32242fcd

SHA512
f16c69fafa5c836098e387b2ddbd96b799f94bd8b2c86e99d82ba84623de1625a71039fa573b36d717dc8ff0624fb1aa10121988e5822faf81bb8d9b17e828bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ea093b19e35734acaeb4b610d4edb5c5

SHA1
70a1fd090437d94dadc646897509a93cffcd1bf4

SHA256
c89d43bdb320654e9b6619b24c270de9509ff66e98f4472c3f2bf1f8c5cf2488

SHA512
fd959b51565dd6b6fe5e5d99ac8fee721dd2b16fb324319b13889b39e0f63c66e24700a8ec92a9c8bf6128adf29e48e73c9f18da2749d39f1292245b9b44d58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
29ccf801cb70c1e2464943e2b0c19f7c

SHA1
f00c6afc25fc0a3faf49f912a16b77d0c9df65f2

SHA256
6198af45821bc87ac58db65f2589b275b755c011f368b512e27d81b1d21dffb9

SHA512
2c1f979669826e2e546c9dc1d35463ac379c79ff015cc55f8aad627922809e739177dce48ac0283f70df71081e80e4519efbb6a6c555a08179d00fe27427c4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdeaa472ad7fb84598e5dce34c0c362d

SHA1
63abf8e7c358f9e5cc583a959d5a20a83d5a6842

SHA256
d50f54a6afb86c204f01208bef2ed01a47a72f7e1d9e5a3639f6e75af19395c6

SHA512
c023bf242a8e91ec6e165e2f88fc78e5487eacd5644332e9ef89fc8c80b97468ea3d271d837d9f0a98db6875a7d6fb85599aca5aaf4fc38dc4f5313308ba562d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
534B

MD5
7fe12c68ea7b5e7fecd6a32d29811f7e

SHA1
68c4f0c02eacc5088675e0692bb123e9fcfaeb91

SHA256
153eca290a789571b9f1926bb219b18a7e71b99078233f5ca5ae094b01f510ed

SHA512
63c9b6ac3f0ddd44106afe1ff294022e25e8c4f81659a51bafb536e825e3b35975114245979f58d2d62d7aac1d2423a360726d5e32c35971d8ca29c1d2cc332e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2bdf36f07ff9d96d4e554293954c69ee

SHA1
bc45a7b3763d185636e992741b26b7c2f8595cdb

SHA256
aaf3c53d5b53cb0f03eb8fe8d76627e0a0ba7e25336d6776fd17bd4e0cb10a82

SHA512
60dd1d45a28387503b78f845c515874f8e8821fb8deddb1db4220ee7d95dc2f8aa644cb66ff2211da5f59f929ff7eb930211d092a5c0a7b8c66cd8f573e3284e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b2a546fd7670fb15dfe6be42a94c9c10

SHA1
f4f105b0a98deaefd1f07b1f278f84af98af48ce

SHA256
d2f162f284488b13c80bb75ff765b6717378288c354b7e49c0ea042fa81c1143

SHA512
ac656b2bcc984378bb02365ff7296ef04e8e4ee6ec4b4c7ab4a4728631f91b3bbdbc31bb395b561c09a26fc93f079c1965c443fb0a91a5d47b0e61973544fc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
58295c184667d534dcf0a4e022a41caf

SHA1
6fcaad3a2b44c5c29783e4742b524d7b77ceaed5

SHA256
b5913e9b88ad6f362999235169364c198c4fddd76691c0c99951f0c08237a307

SHA512
c2372d4ec004f2c5d67d8525cdbb175771fc544193c8deaf2e244a22ceb01118e6f23d3bba2a99246c98f1145573cbfbbf1d0ed56c1db2dafcaca90834468419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79618d2b346e04fa100f9b49ff878884

SHA1
4cff9ca2bededf15ae5af6d0b14b9f451ec1d21b

SHA256
cfdd4165cf86422104fce0ed7d4c4be336eef3832de5a83f96b57b338cd2a34d

SHA512
71896a713843b435a87efd5be82f8c082f3d6c5966f95bd501e12336c8c4e1f74bb7281cfba91b8b6acdea998df33414834308bea74c186f70b03b25ef54867b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e10f9b25d4995c22e146cc9f86197128

SHA1
0cd909d6004624da0b9d54a109bbdfe4b6401cc0

SHA256
39be55bcbeb6bd9b0bb7b53aea274c3a5dbb564b8d4bee39e2c200250459a14f

SHA512
7899a6cac50b11c9716aabe7a4897700239425ffcecc3b6d59f4dfb01c7fba3f0666a13c86c44cf93fa65c17435bd1541507ed533792a7229bb17bc3d189dbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d69a7b0882e175dcc8238123b534bb0f

SHA1
b466df46bb6903878aae5d18341448c9d2c1d7a6

SHA256
7c794159a65c29a52897740aacd8e48b9c95e73057028e2fff90b9cc8c1a5cb7

SHA512
af3e6a9de860539d6ed2fb82d40691991f0e282b8e9d557257f05ad0297c527589b2c27ac1009bd177c0e9d9811a3f6cd4e457fe0f96f63f28b8aa8cbf95d18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5aa0eefc43e6440fee9b821c09b8dd6c

SHA1
7f1f3d70de02941618598a87fd6330e41f9000d7

SHA256
60d9896858bef81cc8678d1ced95bdada105f91d8d2a624fb67b4a337117b9f3

SHA512
ed7e55d09917d3920e5aaf0f6dda65709cfe054f6fc9ac7daec6dcbe2a2fe36dc66504aafe9a3177f550f19e6cd8e4a210f203c78bba10dfa6e293450776a0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c225cf5119fd1983982e60b5603cf58d

SHA1
f2882d0ce54c319b2bee2623e328a8617b9c4bf0

SHA256
d300fe264d6004be65475f2f834bae639367d5c26bf8d887066e47de85354e66

SHA512
424001d2b0cb0ee52242f20b3a4d0829dcf12467e05a0e9653dbd637df9f296f7a5647ebe705cb71a88f33fc235923c97d1ef800b895ac0f79b4af563cd3a5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60aae8a027de9249e2e8bdf445ad8b45

SHA1
ce73d4425d2d7a0f1a71fa04f2e1462e6912e2a3

SHA256
f8f9e700940ddfd6a623f7fc3c222d56a392ab9ce53bf2775b62dddac554148b

SHA512
a8f33fed189e95e07123a07d93a4ae714a87711ebe4955264ff63195583ec5154661a91075b109e944344d2df1ee973961eedddef11a6ec73c0442655e461c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
80734a7ca5f4fe7c303b762ff64513f5

SHA1
f0d27f56ee3cf97e69ee7f4c7afb2f0274e9c972

SHA256
f8432effd76165036e4f9212f3cbb05efb8931ef46d5e632adc7a7ba03193499

SHA512
e7bf5cbbf89391136a9553230046bdbd7444526ab58fcafcb1cec4949c68a5b6becb193b5b182cd3af90840ae855eafec1c744d7239ebaa263dad1a9a613f2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc075e03d2eeaa3c819860198f8678c1

SHA1
5e31e68355e2b8432ab7af461e1e88c4cd7b9b9c

SHA256
26b433ad75dc309b1dca584b2687536d590a3f7fb07c5d8b8d9a4beb8296d146

SHA512
46b72a7899cd4281e65622427a2be187d3411de5b4a06c129185edeb10614f4eb58a4114256dc07d3d06afb3548348dd11eb7eb57e35e244fa6165d215f9a290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eccc9113bae31ecfd41b4d4648af39cb

SHA1
d6884dc43fe12a7b391826f9ee87bd30a11f8311

SHA256
86bccedc45fb57e01cd118d0899c8016d6e1300ddee18c5e01120de34c7f28e1

SHA512
0f6f1789da00a85c73d078a8f117a6a2ae0681d216c2c4a091682c4bf9068b12d08f9b620ef16c82cdd54cf36a10ecc5bf2aab56f17f7006fb872ad818f02cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d2701995cfdd5d4f6be6a6e7a6c17bb9

SHA1
dc28e28b323116d9262e56f345701dc4975e0f72

SHA256
a2d0db93b96620c269ef3ab0d58090bc40a3617f4d799469439f41448ec3945f

SHA512
81a9445c8fa78008b664e4f147389a1f5ddbd4b4a404764c540f21d4333b312d0fe32583a9ae0d02d4e3076eced72617bcb98e824735b201fb9ec14515ca1e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e00c2211634ffeaf02250476491c5c4

SHA1
ea8974c6147f765e7ff4827b7b5594e8f6cda32f

SHA256
ea0e91254dd963c89bdd6004285e55654aa52e2893c57da31a8ad60c35a7ed39

SHA512
cd969ddd5b05704104598733daddd3214c5415b5d2a74a2d8bd54991a75aa6b691c509800be643acf8f63b37b2ffc0ef1fb9050b42a3d8d27d98e4f749646954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68897196ab0fd17dabfb6684088ffb67

SHA1
e45adc29130b60d0e6dbf7dd4c085259e79693c2

SHA256
c43f488b79dc5d1f133406976323a4a0871a0297bc618013cc951aecbbf693c8

SHA512
5bf2e1db1dd323d6ba1ae3279305d0ea6814208b595401a40775f2c331a55e9816c0e00d30a947d482f29dfd62b7cd1bd6ab4a1417ea8b27d675e15d6a0b01d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5832f2.TMP

Filesize
534B

MD5
ffbefbd5264d5b9f2a592391654b1c1c

SHA1
b5cc73b0537362284b5884e590e0ae44b6248d7c

SHA256
e2e4c9cd4b30f585f3b32ef7ff25149d511961629dd0a91bada2167b40bb8f96

SHA512
21413eb68fd85624c234e2a974eaac149a274e5aafff0167f201dfb914cbeae4571039d2b05c118010addad23da9b21dc5c432b0bbd9bc573f1574b1d19bd651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e058808040438116f44b739a9b88971

SHA1
914d6243dfb6ce1f95947b4cd044235fefb02cb1

SHA256
1649a26a6fe46e666167212b9d81e4bce77783ec7d1276e992340dcb1d0a5216

SHA512
ebbc90bce7489dc207614397a396edb96bc67a4a491639ce82b430b69330369cd031c9b384da36cdf2adb103a328e64e6e2c8454ceaa5cc3b665578cd0fc36e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47e4d836a9110f7aae23153e02b4f6f3

SHA1
437808c6e12c07117ab66f58df432a32289dbedf

SHA256
3f255647d93784e72cfa9719a29e6f3d07b24fd0fdf9ff0c3d09c78b2f36ada6

SHA512
d39a951424b15685b9a4dfcbbef46c84e809f3a16c1b9d38b6952280230f84f8b5da7161799230e1fbc7146b70c17f2027767c178515086c9cffb67c37811f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0d9497aff87632533d0dff2da6530bdd

SHA1
8b4e0fe6155b7a81cc86e249bce76ac62e3604b9

SHA256
245f7ea16ce0c31d432d5f322b03f19e92779bba9c8931a544f4c756384bce19

SHA512
e91a4e53a00164b855e86cd7ad2430eef2286597be62e906a5a24413f486513ae1205c6f1f5510edf5d457fdeb156cc473f95466a3b454c4987b348146f65715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00c75e905fb63664b6df636940c21f4c

SHA1
fc73f7dee7a852aa0a477cb0f9f9912bc54d07d8

SHA256
460e4d971cfebea7ed98d47f9dcc19a24f08902fea3ddfc058ed78085d0dc815

SHA512
4ab079187c7f26161b8507ce9b76b7f6b0ef3e3928cb6c0f0cb0229a57f89991799030bfce627820e1d57f78807f493cebf92e41d5a51a873a2cdc82a3d08003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e38185c601a23b556b15c4d0868750c0

SHA1
75383dde76d4e92124aae3ba8d33232ce6ffa756

SHA256
5c5b9bbf1a5d3c44233d5b998b5f1de1afc4f28a02bc79e7badb342cf6d7c4c6

SHA512
285184bb89173701e0edb44cbbfda7219ce5c4921e9da1e4c0e44512ed708b7cda76610e2ff02759c9b4678825c9baa721d391b3e37d7d1dfd45808423b71df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MistInfected_newest.exe

Filesize
3KB

MD5
459f3d7499adf6570cd98bbc2635f74c

SHA1
e2f1ffe536315c83e65d099e84c1ec8728bbee85

SHA256
5c5ecc47ad85aadb5acf9d057461073ec37c9407510379dd16985284b821cda7

SHA512
748b9ef6c075036d6cda5840864e10b92fad80416578b51e37a0e7a01ddac1b80f2af192897e2e68b023904ac7f2f2bd17c5840161c51ac09e551f4641520490

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 243360.crdownload

Filesize
22KB

MD5
1e527b9018e98351782da198e9b030dc

SHA1
647122775c704548a460d6d4a2e2ff0f2390a506

SHA256
5f7471c215b433f1b28dd4b328b99362099b6df7cb9e5c1d86a756388e0c7aeb

SHA512
4a11c811f30016218075d43a9f983fa7a484a06f22d625b1bd2d92b4cfabbfb142945ca0a9ca1cf91391a3e73c154f6121140d2f1d42aa35ad7f10817534a21b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 370267.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 428333.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 534793.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977530.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Windows\SysWOW64\drivers\mistdrv.sys

Filesize
14KB

MD5
fb021609c5635e3afd5d65384f83a77e

SHA1
f2783bdb8c969e6a156438834873fbe59ed1a5d3

SHA256
40fd2d7e99c37b89bf8145000ed30479aa6d0a7c82d28eebb00d2377d0ac9f17

SHA512
f8e9f93c35a8837a454fa82578c02a4df3079bb03500cd023e4f1bd6ed5acd8cdbed19b5a5d3a930304f593410607060390b03de790d378060ea56cd1b767a33

Download Submit
memory/1436-1019-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1436-1020-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1436-1023-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2372-812-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/2372-807-0x0000000000690000-0x00000000006B5000-memory.dmp

Filesize
148KB

Download
memory/4968-1073-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1284-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1050-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1111-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1112-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1030-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1134-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1026-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1022-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1017-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1175-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1005-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1203-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1002-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1003-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1236-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1246-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1256-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1001-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1266-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1320-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1276-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1277-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1278-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1279-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1280-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1281-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1282-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1283-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1092-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1285-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1286-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1287-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1288-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1289-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1290-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1291-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1292-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1293-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1294-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1295-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1296-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1297-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1298-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1299-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1300-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1301-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1302-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1303-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1304-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1305-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1315-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1316-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1317-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1318-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4968-1319-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5116-811-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download