troldesh | hxxp://github[.]com

Analysis

max time kernel
247s
max time network
253s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19-02-2024 19:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

troldesh evasion persistence ransomware trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3692-653-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-652-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-654-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-655-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-656-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-669-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-673-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-683-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-696-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-713-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-743-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-745-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-750-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-752-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3692-930-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
35	camo.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.zip:Zone.Identifier	msedge.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1780	msedge.exe
1780	msedge.exe
2800	msedge.exe
2800	msedge.exe
4232	msedge.exe
4232	msedge.exe
1656	identity_helper.exe
1656	identity_helper.exe
1012	msedge.exe
1012	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3692	[email protected]
3692	[email protected]
3692	[email protected]
3692	[email protected]
4992	msedge.exe
4992	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3000	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2064	2800	msedge.exe	78
PID 2800 wrote to memory of 2064	2800	msedge.exe	78
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 436	2800	msedge.exe	79
PID 2800 wrote to memory of 1780	2800	msedge.exe	80
PID 2800 wrote to memory of 1780	2800	msedge.exe	80
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81
PID 2800 wrote to memory of 2100	2800	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffa4e793cb8,0x7ffa4e793cc8,0x7ffa4e793cd8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6252 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3484171671823734764,10986297171540100800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
PID:1848

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7d4bdd41d7150644a9fecac756bd5298

SHA1
cc6bd77ecef146f18a526ab6a1167649b2bf526d

SHA256
ae1f95fd0cac26454941f0578d73b695849ce52ab2ef95eccbb63853cf9103ce

SHA512
ba873b94e850c6fa0de096961380265ec833778854612e938ace2c4c1772423793d0d22a585533180328478cc23aef6971be56eee2256405636f80076ed2c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68f5c02a-6c96-4e38-9ebf-0c463cca603e.tmp

Filesize
1KB

MD5
32a979756ae5ffe3c67c7786ead14695

SHA1
c6b27fb7c492bf5d7ddd4e62699643ad9a88b88f

SHA256
f234ef95cf4a429e4a8a8dae4aacab13b5dc77f4da2e84b17daef66bd4cdb45a

SHA512
d329dcb13c404a05bceebdfc4617973cf7241655d2022a715d7efb5ddf947a181b3a2a0e6384c5e832a8dbd3ad3a72c8f17695cd28dbfe07e0d73c0e036db706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
24KB

MD5
657ed1b9ac0c74717ea560e6c23eae3e

SHA1
6d20c145f3aff13693c61aaac2efbc93066476ef

SHA256
ff95275ab9f5eadda334244325d601245c05592144758c1015d67554af125570

SHA512
60b6682071ade61ae76eed2fe8fa702963c04261bd179c29eed391184d40dc376136d3346b3809b05c44fb59f31b0e9ab95f1e6b19e735234d1f0613720e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
27KB

MD5
253c9c80f4cc0a210b53c03bb96280d7

SHA1
0e9ff12fa7c27cf9f2555483664a6189e7cb318c

SHA256
4212d1a0a6f2c31753368b0ad556f90d2eead2177caed493699d243ad20553a8

SHA512
b59c616446bcedcafba37c9c459aef5d15aeddde8fb71ef8ced9188839b7c62f148220985469a7d830201f2d53864fdadfe24c7572fdb5257ed9fffee187acb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4f153ad5a8997bd9f796d2d72fc9ce17

SHA1
5a1c342a40a8204c22b98cc9096208e895d22dd4

SHA256
f5f92202e5d4191a57c3b5a487fde2b2876556bcde6bff6b1991233622508a5a

SHA512
c9e6f37cf4e4f19f88209a1a5f73e43b4540aec15ba12331195aad6b65e7eae69ceb35bfe0be6e58cb7b1f02502c6ea45e839b62e8e34d774b5f0fe0eb7f436d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6ea63f81de2152a61fb4174501d59d57

SHA1
147d2c88c49823f0e5e05f4f75be5e5c8b1e18e7

SHA256
39dc03862251b26fb86a736db9c287de5d2f27d62e6d15a176e968792a7e1c2e

SHA512
54bbcd98e8271ba67dbfa69d47ef20d1574aac2e6d609dbcb5fd51a2d4b041f18312aafe6f3045972cff259c80e30c96369e774f31b54207dcd48757b41b71be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c2225ca4968a7e29c5e52afabd981230

SHA1
1f2aac21955ec99969f7cff287d6b07274ec7855

SHA256
c05c772299c2e0d3f4af07376c12b2f46b6cf102033fb30925d17f501f39ac7b

SHA512
c6b5931a911e8915a7803683bde8608b13450b40411e3e6e8bf7b9c9a2123ffb9f395d163aabb0aa324dad07a62aeb70ae4d43f831249dc8975589d837188155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a630a8d9536658a0c9daf1661c30d083

SHA1
283bc10bac79b5963cfce992c7a52c0b6df16d81

SHA256
468ed5fc8119699e5f3e2ef33f5c2f74898b06a404ef65a418fd397602a85024

SHA512
bb3aad8ea415e7bf4b03b350f304beee749a084242927dd2db68447c5caa16a4e2964f273467b246c44bf9b52683089360a2749c58df2d2137b9bf4be6521a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
6b2eef63d53a99d21a6318546e37d994

SHA1
88ce0a08095836f024f7e41148c225f7581c7929

SHA256
df3441742f0067b8df1448aa0bcac47c0b0e4577288f1323778ded98e0ffc50f

SHA512
cdeef38413bc7a1d43996aa8bbb634478725033c3db74caeb24377cd4529f23cb9e3b5e57ac590a615df8c8f01c43d7e6d84cd476a038b20baaccb7d94d4b47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
511e804bd2ae892cd30ac1cd7c1d6667

SHA1
95631b11114dfdb769e82e0ca8e8905a30f2420e

SHA256
6d7ac0fbcfde3784f0f96f55dd687ccd1cf4bcd3b0a0cf13f3ca3bf728ed9fd0

SHA512
101f3bb4837cbe7866d6f44763d42e0eca327bdb68d19649ca42b3321d1687d7d8344e990caaf20e6282deaa212270f4e4219d558cfc145d8f8246b06bc90a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56eec386c6aa3ec845e238941a29c47f

SHA1
c53e7921c678aa86a830e35b7c521133b4e24235

SHA256
c299c02ec0be1890ab7daae6cda2fe9e5446ec16ff70957c13bbfa1ce12cd793

SHA512
f6ad2f1f6d468938c6ceb5529727405dbad74b50f69f6e46873f438ea34952d9fdafc92b614024beb848cc533edc3fe00bdeba51662dd75c84cb672a5fa0a3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b4d8a41cedcfd52706e66c48757babf

SHA1
b65a5a77dcd4395f949de880f4e8d7db91090cd9

SHA256
39378de20e7e581ae10fde4e513927b1ae29bdb93174b57eb7cd90ada34d73d9

SHA512
88bebc91d052e5b9d286100de1291e6eb6ef270f6ccac3ba37a49bef4d8fd8f77642dc8b5543816ab4b34459a1e7eb30e30006d9d537f8a5709e677a8cb16f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0bb523bc5d94a5406dc3fa91ee37d23a

SHA1
568d91c92415d8a45e82d6a05d97378d8ec3a5f8

SHA256
3671eab2e94bd68a7601c86c8fa03a5e239a162c71a7206f83b7b60ad7e57d8b

SHA512
4ee91bcf255910033a1945aa2f6139c7dca05152e11779e9be0a206f73c612483f38931340b8ea4d4ee20b6e127d0360d789ab4d9e4a4feed520f8e782b62208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2027f1459aed2db36ddb5008f231defd

SHA1
73936bd1672a54ffd7170e78283f70c2a531b6ed

SHA256
f5a32d91551244ba8ee63beface4a3d61c6accd55bfe89d7e5368d7ee644d5f5

SHA512
1a9bf7317e12396823cff5af47d02e51e8da4bd971eb399dbe270120173cb2dae3f4f9da02734ca839be50163743b96c0eb82fb631a98fea9ed09621242b2924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2518f2e85d0b0804482786852bfe31b

SHA1
d43a01b84f17a1c19125de7ac137c5b461f1b053

SHA256
1e4e749dff2d3fe3805608f301e8f7bd08b83793e4689d9614ba69c618037eba

SHA512
e0f78b8ee2de3616e75dbbab757be81c92059569c660f5f7685bfc648b5a780fdf50898df429bca88c2ec0fbd548c0cdb967f34b2a44feb6265b0904d3b5a460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f42f9cdc91a536e281c6bd5d1a19abc

SHA1
c3af954e997c261b9893c22f59f63cd4b2104ea0

SHA256
49fa15f3f8de7950501275ec7a3dd8c5478c553ec1fd37db0691b4df5021a5d0

SHA512
e9bb5e9efeb618b77eb3ada0986d3d50a3fac9b5edd17a83c25c8fd9d6adf1d30dcbb02c36d8b52621676471ded59be3fcd97a33275ad8cf6723c577edbf4df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1461822fa4af43b87690cbd19e25fcac

SHA1
ad5350efd9e4852aed1633974fd3b6f64fd5879b

SHA256
3f537dda5db16a017a4a589a41ce75d4deb4b69050384386018d08711f56747d

SHA512
c7bca8754fbb0edf25dbf7ded866992ff85fe702e4d27ae91a2d209384436fce81a48c0668efa7e0e6b73575f1d201231ddce96ceb7ffd9224f6ba85c922bb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
00042df6368289238bc60caef1baa46d

SHA1
981c49ac7b10bd2a9d159daf00844110629837a9

SHA256
3ca68414527ece019ac110954726207b8a46bebe6180c2615158f7aebf6e6b1b

SHA512
8f549ecc6a1ac0cc153fe39759b8fe093af520dd94e37b8c32e7fc7e87263cc5b2bf404bff31a5960ad9fcf82dabb5a534fa07cc441ce646de2a8b532c28ff51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
105b35f59e7138d19e86d65e0e660177

SHA1
61f57b10da0f3e936a73c2763806f435b589258a

SHA256
67e98f86a084f2a0e85bc7a20229368aef88a8865c71b036675923a3a704f477

SHA512
d424592deab393c05759933adb608163c9b7540c2cee2768bed4e7765ad10d748baafd3ad47ad137905228b3b6893e8ade1cddb015a62e7de10ad332e4882dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37237b4fb551279387b55459fefe1ed9

SHA1
c9941572a3b5cd6f511f14ff23e37648de5afb89

SHA256
375c4804c41e3fd1dbb476645a26129d9a02241ec2461759175ca65a0e87d78d

SHA512
3414b946dc72091256b4742e5e0ed4b19e324d4c05bbaec7df843955ddc78e2ca3c3cf6a062032d4aa488447793ef9ae2d07a182cadcbf0638894b20d49d1298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c366bfcb08c1c0a8c5a9fee43ad5697

SHA1
a470f5e1cf601e24710e03cde875f873edcefdbc

SHA256
826c94904f14924a0eaca84023d7bcd721d4f994bde294dd924217a3cd51dc2c

SHA512
f06013608b7044968a10cdfc11eeff65cc316ae9b431dc2bdce9d6f80b2103e271136fbee124cac32fa3a46d5c146bd48cd74015d2036c6164de3acb1be129be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
17182ca00987432172cbe0b9c6300690

SHA1
9583b533c7d64cff395af92dc3d3944f789348eb

SHA256
4f64b45af48fa07500d5ae38ac1cf2351f04802d697e7fe648d7c5129fef860c

SHA512
e625ba536a738d61067da643a8bca953129d3af8f03ec84c195450444d6718e1d187a3727603ef2e01b9fd205fc78c2cf47d854fd45cf84ce56c46f95c21cb61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64816738a43a2b245e7365b8a8a7cfff

SHA1
f2204a496045a9df95c112cd2b5069c653260b25

SHA256
9b90db2b5600e26148118f92be9bf06820043c31babf27eae605c71c64799428

SHA512
8598e20b14f83f913458737338adfcb738cce69d5c6bef25cb6822753b7db227c68ea243d8a5cd03b5398222129d2d3e5dc35faa100c2cbf7be4df938960346b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78068e0b92024e4b8aa0eaafe502f506

SHA1
ed883223e3e83d07364e6fef8cc357a42ca9ae3f

SHA256
b2cbcabe0bf879066865f4d27a6893e11aa29e87d07809e19821af63374b22ab

SHA512
284ce5169101a705a89bb6af522964d518f1cfc0386cb10d2300856abec3230a197bbbff3d9d9481e937023f708514c9f44bc2f6607d26ec5b8bfb6b82af978a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
248d47205b17bbd49de342d034260ff6

SHA1
7bcf0faf9a3ecc65f79bd25bd1d3219e8c787363

SHA256
4b43336402db8db7b121c43fa3f3aa9e57368c269d358e4fa4313919015be1af

SHA512
ec2ec5c0b451dac69aef77cdb0e6bea249186aacd5d2ce789bd154aaac5a70d7276a6fc9d75b191c96916cc75c5f459fb95f2864faefa06e7dc6973e0da5eaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41b8c14e1f87308fa21c6ddc7b8ec3e9

SHA1
a10a2fe07d901fe88ced03f0e027e8a031874f61

SHA256
d3dba2a22e1e58a51ff13d07266f36c8e9cff2ea1f28174625696b4df149b8d4

SHA512
d791d108d7c9061213f13fab4600c6b4cf850d187aeb866627207c60abab9e60827c3e35deed1a97d15fe4bca10d108fa8c260df0c30664ed713f2debe1ae42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
2514bb54e0471a23763cefaa4d34f4ab

SHA1
68d8e812faf0ec99dd5836890b09c67d5e023d9e

SHA256
0b869dd15321abe344b1dc741a75c5334ec15ff324e45dc570b5f815c5f906cd

SHA512
8c33ed4662e47eb8d3750b44868cb4feea3703797f53820a933f728fef23b2f5d3029610b3738925f442bbcf1dfdb5ac158c213c7472658ba2d74cc671d0bf75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d22631a567521bb6b9f19476894499ba

SHA1
0cf460d21429ef1a2f33f1b298106281eaed78a7

SHA256
7e5f7ce2b5d1b5f078ac588b5f122a0c8c7f0de51cafbb1499433385c6a8608f

SHA512
73cdc6302482d27088972a56dc0d94c1bfcc503fb65fe7d284a659a19e3bbd179149cfa713acdbfaea25b5d3579f87883230788acd08328b5f0c306bab7903b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e422e0a21266a4eb73bf45caff1d270

SHA1
2752e875f53979187bcc5a794e0701f6207d59c0

SHA256
16cd0826377801cfaf3b3c01c256fc42422f4987f77592dd2ffbb194a470ff74

SHA512
7c7e0fec4b2bec18d47f435d5df52c22c240c25fc8531a7c160598ccb44f3ed45098671b40a03436dd6065c571d3e7b247e56c6487da7976d72040e5b5ad128a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e445.TMP

Filesize
706B

MD5
9d5cb7e2327821ab512b07b2fd611f68

SHA1
2d9c417afdcd62ba3704a6c5859acaad4647c0e6

SHA256
a177f120740666c6e48bbb2f2184f3b3680503e52cad47090795e3b9c803f6c2

SHA512
279205bd0e1f790521c8864ffa5648e7e3cbdc10e311f95e522cdf5bb2a9b8d004a0030c9aeaea571c33792330dee2d4ef5a803e8af1f4bd35fac51e0f9af092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ead1bad09d8d45594b4b088ee018837d

SHA1
f642f157309f36af0ec3a1f96eccc49779636b26

SHA256
78156e9036cb66c5768b7d069930d3badc69ba97a84fa2bb33b7a2dfb0151d07

SHA512
65a81f51aca36bd14b4ea910edafb68ddde2850d6c82bb5f63b785198c98fdc5daf0a7b59b9d5d243f9b960a41c782559da56909a34f2f29aa82802a5c627417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
145374598be0aaa8afa137d597f76172

SHA1
262c90ec183e4709133e5d382f899787e8ee66cc

SHA256
18a06c88c08805adeda2531b87938808c195d2ff8df440b2608bacb27df6afab

SHA512
c6f06e5b60aeabfa99dbb050ea37c49f9c59b960c2ed32562d5bab3f315d0d30faff3a8288e18ac86e8ea2d4c9d4e87d11d3a518f530aab42dbe3c7375a84818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6959174c77968911da240cd47c007d62

SHA1
935453f7f2b1d1735a3b977d62da693ba6c0512c

SHA256
5f373535b8ad596a669783f1439d40721e0e52c73ff4701fc02c384f017569ee

SHA512
9e097004855ee34a0467bad3e25e9970cab2ee946f3f47790780cf8d5ae5c4cb7e38d64c505c7e3ed8d69ed1c851ce36ca64ea79c92df7b72523765f70b0cfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b13311fb372c4072e9c37397a96e2f2

SHA1
741274a8e759a977ee64d46ae11824ac74371d53

SHA256
b524c2e69f82e96c8aee5b6da0b9826d3f06730a3072298a35e4b6ca4bb2742b

SHA512
8c4151945ef78f13c7f532839c86064ae6c31e896d2fb8815c252e34aa6ec8ec31a5080fe477917ab4354fad9594567dcead5ef594f43936662e6cd89a349966

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Public\Desktop\ᚣᡧ⃞ᮒދ࿦ញፑڴᥪ࠿ጏை⡘᝶᳇ᙃↆ໻⺻⿳ᖉ⩢⥿࿇⇞

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/464-749-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/464-723-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/464-724-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1848-929-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1848-751-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3692-743-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-745-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-713-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-669-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-655-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-654-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-683-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-656-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-651-0x0000000002440000-0x000000000250E000-memory.dmp

Filesize
824KB

Download
memory/3692-750-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-696-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-752-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-652-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-673-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-930-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3692-653-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads