hxxps://www[.]roblox[.]com/redeem

Resubmissions

03-12-2024 17:31

241203-v3syba1men 8

03-12-2024 17:26

241203-vz6d8s1len 8

Analysis

max time kernel
236s
max time network
248s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-12-2024 17:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.roblox.com/redeem

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInfected_newest (1).exe
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInfected_newest (1).exe

Executes dropped EXE 6 IoCs

pid	Process
3324	MistInfected_newest (1).exe
4760	MistInfected_newest (1).exe
3236	MistInfected_newest (1).exe
1572	MistInfected_newest (1).exe
2432	GoldenEye.exe
3324	SpatialAudioLicenseSrv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
1	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SpatialAudioLicenseSrv.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MistInfected_newest (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpatialAudioLicenseSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInfected_newest (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MistInfected_newest (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 875457.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{4bac3c5d-d8ac-474f-9242-892c4453c440}\SpatialAudioLicenseSrv.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{4bac3c5d-d8ac-474f-9242-892c4453c440}\SpatialAudioLicenseSrv.exe\:Zone.Identifier:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 52202.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 79954.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
2728	msedge.exe
2728	msedge.exe
4564	msedge.exe
4564	msedge.exe
768	identity_helper.exe
768	identity_helper.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
2136	msedge.exe
2136	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3324	SpatialAudioLicenseSrv.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2664	2728	msedge.exe	77
PID 2728 wrote to memory of 2664	2728	msedge.exe	77
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 1412	2728	msedge.exe	78
PID 2728 wrote to memory of 392	2728	msedge.exe	79
PID 2728 wrote to memory of 392	2728	msedge.exe	79
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80
PID 2728 wrote to memory of 4996	2728	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.roblox.com/redeem
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe5a9e3cb8,0x7ffe5a9e3cc8,0x7ffe5a9e3cd8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Users\Admin\Downloads\MistInfected_newest (1).exe
  "C:\Users\Admin\Downloads\MistInfected_newest (1).exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\MistInfected_newest (1).exe
    "C:\Users\Admin\AppData\Local\Temp\MistInfected_newest (1).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4760
- C:\Users\Admin\Downloads\MistInfected_newest (1).exe
  "C:\Users\Admin\Downloads\MistInfected_newest (1).exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\MistInfected_newest (1).exe
    "C:\Users\Admin\AppData\Local\Temp\MistInfected_newest (1).exe"
    3⤵
    - Executes dropped EXE
    PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,4364044119492128221,4926942795066963264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2432
- - C:\Users\Admin\AppData\Roaming\{4bac3c5d-d8ac-474f-9242-892c4453c440}\SpatialAudioLicenseSrv.exe
    "C:\Users\Admin\AppData\Roaming\{4bac3c5d-d8ac-474f-9242-892c4453c440}\SpatialAudioLicenseSrv.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
25KB

MD5
e29b448723134a2db688bf1a3bf70b37

SHA1
3c8eba27ac947808101fa09bfe83723f2ab8d6b0

SHA256
349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69

SHA512
4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
22KB

MD5
1e527b9018e98351782da198e9b030dc

SHA1
647122775c704548a460d6d4a2e2ff0f2390a506

SHA256
5f7471c215b433f1b28dd4b328b99362099b6df7cb9e5c1d86a756388e0c7aeb

SHA512
4a11c811f30016218075d43a9f983fa7a484a06f22d625b1bd2d92b4cfabbfb142945ca0a9ca1cf91391a3e73c154f6121140d2f1d42aa35ad7f10817534a21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
85f34e5d8e1ef71bc81479a870ebe8b7

SHA1
82570eccfe4eb3abab47418486ad624d02ae2e6e

SHA256
dc545d3ebbc6656689071fc5327f7256324c0ae0eb79f18793e31e28f0714649

SHA512
d4b9686ac4eb64eed3c75fe7c87d63055a44338ffae8909ae6504f9c72aa46893c2397904d946699346647cb48b09c63c4c1b7eddba5ee6c7106c30fee2183bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2fa979fe25778ea3bc718a4f4f3a864d

SHA1
acc242ff7c62d9aea8c5b88b83796a8ea625b8c0

SHA256
2d9865d426de04b7cdba8b69901ac50facb678b0a8de8ca317e52e7b57393828

SHA512
45001f80a9709924660654aba24e93cf51f2263d63c26c47f7c40959d108acbbab99cfcb516659d181d02367be479764b8c6310ed6acb86c01c89d111ba41d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
16cdf008d3c53bbced9c1b3037d2b55c

SHA1
890314e5b844a0c9a9bc9ad56a9bf9e8dc036271

SHA256
29ba80426c4d8272d137bcb0d0a925846d61afe30685ce07242bb4ca1e93f985

SHA512
37a4638139f5c812bb4854e2098f93c05227e1b6914209073dbcc7f1d3796cae5afff5166c373a39ef6fb6f38c52ad750fa22a63685bd35c793983065f0fa4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06ff332da1a04cf7e9857af29cea545f

SHA1
ed2134e8999b65a2db6fdce1e8e6949833e7ce47

SHA256
f6b16f9d8f73543cc5c247b8b4ad310cbe78478c83c9b4814f8c46a2f11ecfd7

SHA512
49749d78e73e231f1ed24f1c48e88c6a75d6e90db9824f346be7fe5a991ee707bb756be070c2c465027700aaf79241a58110dc1a93dd2debbbd7fb12e66cab95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f41afd2002af34eba27c2af0c9c9de83

SHA1
e12903c2d02de39f1234396d6b2b3cd38bbc5e9a

SHA256
0194784aa633b890c3e0b81b6528e1cb68bfd21f3c9447b734de8992f8afbe5c

SHA512
ef33b67f73f581d814650659a89ffc05628ce4b6f411738b18466413556a848d94fdcee1424c073abd683a6c734545b44e8f79140b2a7a73a7d386105dc3a660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
330ad1585f4c8ea0be741b5622b29fc6

SHA1
8466ba6e0cc7bba5587f666aa00cfb9a81cfe315

SHA256
a258379c433de689fd34815ad926bc47f7e50f7e1ff9b34dde34a59b2158a0a3

SHA512
80485187bf9f620b25c00940b8534c3e5cb91371e99150c8d84efbdf1edbec89b1a7d48e8ce94342b5a9587e5d3ea4747583c450c78c4bb528cc63bc876c6ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb026f3f2593dd8e333812bd4a15b4c6

SHA1
c38f459641a0ac9f55281a019378852491220030

SHA256
9d216d35d701fdad51b8f4070946db0330ffeac60e539a8d402beffba4852bb1

SHA512
910bf1af98262c2893fe4c098dcc9057b1dc1488306262105115d07c59fec2288654e98160d2feb75b604b36575f08af6ee60734a868167d8ce0585f11b64a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
483b3957c9a684b54312122083d34df0

SHA1
af9eb6e8109b4a421cebaf7564b1254e8d6b46cb

SHA256
a9719d849c5f386f1420d24854c476331e662bbf801b880ceebbe86c9ae00209

SHA512
b1a8d4abb09ae972689a7d4bc2cd0ae6432294fa5d3c1b98fd567eab8241c375a19d7224a69acc07ea190668bca1089a8b48ff658343332d710d8cc7f5179a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a3adc25c483b6699edb837d46f3e1c54

SHA1
29f7e371a8074bf61ddc9db30ace58e70fb86ec2

SHA256
95828afa2e0d2e1574d6fce13790eeb953051b19978959bc5e20011632396d0d

SHA512
552af2b7066693315ee78c1518bb0c3473c266fde92489b92dcd2ad6767afcc80a568f49a3348b2abe73558d54e352b269ce40b2356d78453620f9c6053a7a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c2d206a20e9e2880006bf5633503d071

SHA1
0ba257ec6c3256cc118499371764247e7346c7f5

SHA256
dc2fab54e6cdd139524cad2421432732e5d55c1d2d3e8ba0e23be70fcc566bf6

SHA512
6913b29c985e70313d66eca1d183e9876bdcdf7ffed748defb662b0b74ce4493d2fd42e209114acf9f2ced3255458f4b7e6cc784343577e4b586b9913c83367c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
acbc7fae18db00909fda5edd1fc17492

SHA1
f619d89efe4ca48b9875e8dda013d18d66030268

SHA256
903ccce17c9f7c1b5bfcc05a3d4d06bd7994ad3d7392a1b75fd7a39f8a1ff2e7

SHA512
0a34f4297ddf3d7993e133dc1e0f6f7cb7c7b1f84612aa4ab0e3539f0dd7590203d8f1715664e5dda133728b8ba79ed98b04b6e71f96219fa9301fe8282d1e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bc47a5e339cd4311c16b9c3d8735955a

SHA1
33b75c6207ddf937f347a0e71df076a1f8925291

SHA256
8f2723290ab345d0aa4f675a2baf54256eb51a222839ef902db64b37a3158cfd

SHA512
9725329ff33138b0fddc25f43d0ca587a2f69719b3df49796cc79331f0f6fdf21db1dca33aac979e9d7f6d6661a1302bb0fa8ae6bba8d7694bff0dccb81a0779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
52f801ef63c2c8272ed8814b2aa5eb9e

SHA1
ea0e91b98b299be7290a01f1fbd137a6504d3183

SHA256
f9f263cec2f5e51d1b205d1f69832b6a673b5d5ec4a04450f496f5c850a2a712

SHA512
21fe6401a9441748c06f75f836ed3a429d774b0527a7ab83f91b9261ebe5d98fc81de14817fdda57a1ad14593ada1cfe3e6310f8b32cf5d74bde43779160e41a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
18b9b38cb6e3502196aa2fd2ff6a7591

SHA1
bb7348f6145a08187e9f4d256702d18782cacbcf

SHA256
12e918b8bf54a1168ae53ab605749775df8a701b2fcdb9171619afe3ecea62d5

SHA512
50913659809ba6dfa433ac09b3d3e2bda8054a05e3a60c2d8ac6b77066807753531bda93e63b0386d9794ec17951aa7895b56b733fdcce2aeacb792d1dc9068a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8a16a394f55219ad0c575ce13b84118f

SHA1
debfe572802dde43e8b545d1c4304600c6295dc4

SHA256
8a1886db9c2eb87f4393593a92b693ce4a10a654b4bb02034e35caddef246bef

SHA512
b744f2aebb57135c2e92a268b373fb3eb7e5af9c1c6d0deae6148041201d46f953b88e7784399b428f711dcc8c430c1a828dd3aad623b7a5113a7dcf39b31424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ad80b7437acbe2bb97789726142c8536

SHA1
fbcf13e3266d07736207e4636c333e00782ff6e4

SHA256
ef38c532da46ac749b797ce7da87f8847836087301df91836b8590a4d02daa23

SHA512
f5cc68c8f850150bba01b954262d9b505c3f4446826acff79164d2fb90cda1e7c3b1612b62cb8de83f8842becb62102218cff118c56203e3f8299e4a1b84cf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
97b0076875b99df3e932ae133bf0f12c

SHA1
ea03b95cd9211abf8d73022a154235f488617be3

SHA256
5b2b394027a7efd5417818f42e341514e0229997da611782d4c56b6339be74a6

SHA512
2495284fcdb4de9fd5c0da35771a8095b100636900dd87c4cf0c21d7224fe96ed42617cbc9b2a25dabcd9d9ffd0f4b1d87271c3fcb31ddd02af1514305cc72f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92ef930fffd671781889f655e99e1e75

SHA1
f0cbe20861bab4142e8fafd57acb75c14fdd4ac7

SHA256
6705b2dfce7e752f174498ecad721f3a46714bc64fc4da940a31579cf3b7661f

SHA512
9b393686a46ee031881bd7ac1614b480d3a750726619b8e52a7a5fd2afc9ebd7b7e169cc90a0bf06cf058c3c679a46787de91553c41075f3494f07581555f61d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c72170b67c2ce4e1a82a50d00c8231f1

SHA1
a73574ff0ce970c9e1e9a71fbc03119309e599f4

SHA256
4a14d6252e42287d640bfceeced299f3922bc8cb1d1b331d0bafaea140e43887

SHA512
9ecec1d71ff344ffe1f8a365f554c97f6575aa62cc6b96ec281206b984934592f45088fe06c2963384b84f56713ad9d9a545ad9b85892c2886c21320e1ad01df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51e08ee242544a0209c6cb0a33a7be29

SHA1
c15dfa315a262ac01fd9b9909ea55d99ab418d03

SHA256
ab7f6dc166d80438a4d49ce3f3f3ce5738f94603a1ac3bf6fcff1ec154d4ca5c

SHA512
168ce17d9754e9479b6706de575aa718b0aef80f491439c05b1d6eb82552743a8a7c08dafd0c8afd6642e6d27c242c8d53f7a4d01063e0832cafcd1d040d36ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ef90.TMP

Filesize
1KB

MD5
6cf1c516db602d09137162becfa2d5e1

SHA1
e20778852e1fd1bbd106f01a7f7894cd4013640e

SHA256
69c82a42c8ed013e4c40c7d38f79dae9bf253a359f516bf12bbf0d76c605e2c0

SHA512
ea22086042e17e524efa7e5cfc735434a23fb6f60e380c423037551fe4b406543ebb9b08549322d4b2144cff38962666c6f259770565d0dce63a486995a7cfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
31b598c800c5a5a2bac373c883741ff3

SHA1
83969b87d77a54cf6d4311936a5675f2a2bab2c9

SHA256
d19566598c7b04d5f11dded52ddb816ae9377fcb7e4cd3c00df0041532206edf

SHA512
abfb1a99459c01134859149ab61a8e777ba68108d3a2ca035b07310d90244d8c2e3809330d9cb8555c98b764393f0472bb341f51a66e1a4c0585ea085ef378f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f9134133f2fafb5b9778846e6115b2c

SHA1
508f3faa1a01ec79e8ef0055c2fe829526bdafd4

SHA256
4c116b0b98700fa61eaabe99b37a6195a3e89573d7056991155458e819f8bd33

SHA512
f9a24c4130797bd50e3d43c03de40ff5beac0e861f530a4f7a633e9c2e64cc30da9eb79912e9107bd7518276f6e16b56ef30282a4aa722f992c20673f752f2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7031e9f67cd7081f87107d3effa92be8

SHA1
628163b5d1b9b853baa3c4eceaa8d1e50d48f849

SHA256
cac5e67c80746c329d773f33b61cea0e74759d5ced7b91d9b467c7843a2d1ad2

SHA512
93b61324be9c6e9335a7409779e17d140e1754472196c46fb1be79debf8592b47cc98431c2c892cc251e366d9ba5beac1bc464e5e7f0ec3b31ff2cfd49d62d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
99b653786f3ceef88176db37274af7e6

SHA1
20e747368044e594928a1cbe000da42a6ec2e822

SHA256
c9b738ed2fd1189ea7e14386d55e06e38b487df72d64a29a1dd672f5b00a56ce

SHA512
3b0c25fda0704388af9c1834169dab840be96df2f3702dcbccd5507d308e1218c9df26f2b38e0efa2f74d03e9fb7eb091df777a7db746ca32f168381b33c7cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6be240d6c4b98fae545c761e2b767ea8

SHA1
47a42bfc5841bd4d5f77c7201fdb837330e591d0

SHA256
e9dda6d1b15ab3ee7edc3163ad7c5502597c391df12d41044dfb862b9130bb6a

SHA512
59aa1ccd5cfe2a1a7d3e87ea59ba7ece2b72f43018369d5ef6a2e7de8880df3210a5d31a5c6be27cc3ce20bd87c5a63e038b8ca8be217b3ee6ff93dc7105f101

Download Submit
C:\Users\Admin\AppData\Local\Temp\MistInfected_newest (1).exe

Filesize
3KB

MD5
459f3d7499adf6570cd98bbc2635f74c

SHA1
e2f1ffe536315c83e65d099e84c1ec8728bbee85

SHA256
5c5ecc47ad85aadb5acf9d057461073ec37c9407510379dd16985284b821cda7

SHA512
748b9ef6c075036d6cda5840864e10b92fad80416578b51e37a0e7a01ddac1b80f2af192897e2e68b023904ac7f2f2bd17c5840161c51ac09e551f4641520490

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f06bfe30ee72c739c0f8eb97f39eeeb9

SHA1
bdaaae3a85dff8292644e191fece08e5f32ea628

SHA256
442720e770299421e0224059b4c1a4068d31dc56a8a75c7813e407067cc6ce9c

SHA512
c3728f074afd8fb2ca0fd6f522739b0478c995a03eb932a765d879093d5627c2b3f51d4cced7241dcd811d6517f178379c23a5916063d6537e938e2064d50041

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
3e22503ed55f96ae2fc015804fb95f0d

SHA1
544fda053364541485ddf007a0bf0cb3b70a26dd

SHA256
30b79ba76effb0c1891a21cb5afa1d6fc1ffa503338e5ba3e986b1a9a16267d2

SHA512
0605dd46671e7bac634151842d8726e5a87a9c537645376fffed0c7ae80184f98ba6604fc87529d2396f3040d9000bd082e94535e9e272bba59eea615d909e55

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 875457.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\UseBlock.exe

Filesize
437KB

MD5
eed52f671ef3228a735d807e4eb73156

SHA1
47e2b62e7a2976cc016d8860d86f3d481af56a79

SHA256
1cd1ff8532c223038a836d96b254e8daf13bae95d25f3fab1815f29a1344b432

SHA512
0c7e4f80a70c258fcfb010f16d32195d10fdb9c12bbe301d28b1533773eb6a9d31303334253bcb4d95007319ab8680d7947f8f1e051a46e9c06df53ec17a7d79

Download Submit
C:\Windows\SysWOW64\drivers\mistdrv.sys

Filesize
14KB

MD5
fb021609c5635e3afd5d65384f83a77e

SHA1
f2783bdb8c969e6a156438834873fbe59ed1a5d3

SHA256
40fd2d7e99c37b89bf8145000ed30479aa6d0a7c82d28eebb00d2377d0ac9f17

SHA512
f8e9f93c35a8837a454fa82578c02a4df3079bb03500cd023e4f1bd6ed5acd8cdbed19b5a5d3a930304f593410607060390b03de790d378060ea56cd1b767a33

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads