hxxps://github[.]com/Sn8ow/NoEscape[.]exe_Virus

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 10:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Sn8ow/NoEscape.exe_Virus

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Loads dropped DLL 1 IoCs

Processes:

vc_redist.x86.exe

pid process

4872 vc_redist.x86.exe

pid	process
4872	vc_redist.x86.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoEscape.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

Processes:

NoEscape.exe

description ioc process

File created C:\Windows\winnt32.exe NoEscape.exe
File opened for modification C:\Windows\winnt32.exe NoEscape.exe

description	ioc	process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "151"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{5489D1BA-335B-4BCB-B084-11CFA1F26477}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exe

pid	process
4936	msedge.exe
4936	msedge.exe
2444	msedge.exe
2444	msedge.exe
4220	identity_helper.exe
4220	identity_helper.exe
5880	msedge.exe
5880	msedge.exe
5308	msedge.exe
5308	msedge.exe
3292	powershell.exe
3292	powershell.exe
3512	powershell.exe
3512	powershell.exe
6128	powershell.exe
6128	powershell.exe
3512	powershell.exe
3292	powershell.exe
3020	msedge.exe
3020	msedge.exe
5356	msedge.exe
5356	msedge.exe
5356	msedge.exe
5356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3292 powershell.exe
Token: SeDebugPrivilege 3512 powershell.exe
Token: SeDebugPrivilege 6128 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exe

pid	process
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe
2444	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4100 LogonUI.exe

pid	process
4100	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2444 wrote to memory of 352	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 352	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 2588	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 4936	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 4936	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe
PID 2444 wrote to memory of 3400	2444	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef88f46f8,0x7ffef88f4708,0x7ffef88f4718
2⤵
PID:352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
2⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1368 /prefetch:1
2⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3428 /prefetch:8
2⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
2⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
2⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6672 /prefetch:8
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0808f762he96bh4a16haec3hee07419a1e53
1⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef88f46f8,0x7ffef88f4708,0x7ffef88f4718
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2048008285653047131,935249480155215856,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2048008285653047131,935249480155215856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3240

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"
1⤵
PID:2352

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{460A36FF-7E91-4F92-8510-A3B9515CA48E} {EBB406EF-ACFD-45FF-942F-7819657FEF38} 2352
2⤵
- Loads dropped DLL
PID:4872

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:5068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3950055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1d19cdbe13d1aade20e9926e790a7156

SHA1
1f6256e522703f359a56901417d3c292c828f400

SHA256
1d24a65df782bf4d7a235d1a857ea4b5a7050a2175aecfd298d8fb801737d427

SHA512
e0f3c3c7d1b370a12acb384938b2430f2e1b573e466df2e1d7ca13f66a84909ebb1ba9e80dac384b06f066596db7e3ec1df91a0261ac3a28f70dbc7e7bea94c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
9f981dc5957a2ac0189a5206c2918a70

SHA1
a15407e23b1dba9a270ad425ea2c9e751e6a64d8

SHA256
0400ccf6f351608045cceaafe5e00e5d84fd741bac181f27297963feff1394cb

SHA512
cca7ce4d905ecd43ac021111139d37f0897a89a1f582e54c3ef2f0e9f7c410587c6048d2fbb0becbd1597bf677b16b7d552cb82ec59e776c14120fca9a99dc92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
3444f2e4d8cb909fa96620f828ff1121

SHA1
ae20de4689462cf33324336b0c43b521cc57f5e8

SHA256
9970b24049e3a407b3ee9e348a5280dfc0f58eb6305a87f83cbbfa6cb095d4f0

SHA512
9b5e23577198dba1b7a4f1e440e15f0dfa54479c5cd427b5f112be7e43d492a10ba6bf0c7128899c08f26d53cfc4d5878776fc4b2db57e0a5676721f7bfcb183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
9e032cba9aab57679a114c0bd2c3db71

SHA1
f3e5971668b121cf427e305612e71db310f83d14

SHA256
5b9fce96c53b934d77759f04887d13650a9ba7c1582a194ba30eea11c61627ed

SHA512
ef510a647e579c1ab5200aeec1eb565ad0bae722859bf8f45a191732f4b4a50235c47c8b42e5f16a1566bf2f45f8f56acd3d340a567d3dbfad6c87cadcba82bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
89ecc71070980c139ed5aaf252b8e5b1

SHA1
1b5326bb5b28b9639cefdf1bc1ace170bf09522f

SHA256
0d79209d5faa2984c8f4132f973aae1e234ce5a8b6dd6d025acb3250f9e1c1a6

SHA512
bd772520313a398495f21e3e0df0b8ea61c79de4df686a9bd0c78f7c67ffa1902801ad12e81aa657c9d5163f4fa96e648d05f9ea07b7ce6e7e758960a6211bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
f7abd39b5f993e5439181a4e2e160149

SHA1
cc3caa98aad580206c0a30183b71095e40beee76

SHA256
0fa3f820e495b73d10844559d91aab081b549efe2a78d93e17b378ccfd1325fc

SHA512
7b8ebdbf2d243188079fd6b279926810d708ed48be610f81db11b624ac534e9cb5ae9195e7df2c429eae968441cd6aaa9b37c82d8a6da55d07928de95f152a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b82f7f4e9c8719da695271d5fb3b9c77

SHA1
3c8c0d2951ff337520cf9255e80c78d952bad35f

SHA256
0c5f57aaa00d4d2e7bc63904452e5ff880def7e9af2245b3d99756b8ab415b16

SHA512
06ad8ddaea3b533747909b8fa12365e7faeae9de7d41e7daae69076e6e2c999068fae0b7fcea7156abbcdf1050afae7c69f2614213411758855039eb6c4c9b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
94f30ae59daaf3361738c2d165ea9417

SHA1
a7f6e0aaf67d79a92f0ee4d50b347c25efd7ca2d

SHA256
d55cfbfda3060bb1f4ba9e90575597420d07138e51a1eca6ee4cf37a0a7b7681

SHA512
e2cb9f791dc031b073f090f6dcd51c415693727ca8e48e8d69f624436a17f28c554f26095c7b1191186ed8ef3575369b4ace8254200aa4d0123c53cb8a2687fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
99dacd7751ac42fb0f7893ed37ce8d2b

SHA1
1327b4b429e7341cd2b233048d242489a77685ce

SHA256
82512cabcd219995802759abf9a5b18de1b250eac0aeaaae0c36d04b8035c313

SHA512
02f52990c7f12cffd09e7ef471787d11a0c904086d9752aa6af8c3b1248fba72c23f90ca92aded46a36720aa2ce0da413b5602705cb3ac4891addfd5bd4ec0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
26a06abafd76801f5353110290a6b3d3

SHA1
6f2e829809d911b21495e98dd7bb4f8f93327e99

SHA256
6c76e2249ac0569a54191ff88545419db40ec82f034679fb3e4cf47623c98650

SHA512
e1b42631706e2aca04c267d075a9cc8c63054e49b6792c58d877bc6bd748e0576786d08b59e803d1023e115bca164bcbe5196d32daf641e126f9e96229f6c3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
866B

MD5
c8fa7b190e1e419facd306da2b753479

SHA1
422c25459aeb55054a2d8ce0a200aa059ebcc5dd

SHA256
ec0ab872def7fc77e18d92f0f288cbbbb951c73c600fef85cd5cd206f39fa29f

SHA512
8c51da26954588697d57d8b6ed83824fccc5a830fd5f778e63f1d94b1e203e6ea237e07bc66402137e7ed3c6314d02c7a90524e7591ce8336399212f20ae1a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
49a9d20b4242eb234049bcc89416cb44

SHA1
dd439b66500cfbc16fbc90633e54735bd3ae0557

SHA256
eec522f315ee0e114fac7cb2bcc2066697026e9befc81e51fc1cb57bc0896cd0

SHA512
75b8043b38c16e5cd28eab920b6f196b693029a1b6afd69935fefe76a4495b3d319aaae51ca6eab4f7aefa5dbe3a6f024591d1d4e1e7d261f6beac914663da0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf94.TMP
Filesize
866B

MD5
a99e0f5c4e95780869af6c21e68e7c48

SHA1
de57af6523c74a3456ac13a0e52a380abbaab3ae

SHA256
22c65e6760dcc8280d4766a9c5b3c4e05fbc60940dd56fe83ea2371c51156e1a

SHA512
9337ff593c2ff309a94d0fa996587bbbd80363d1588fc3abd38f645faa17d939d57b780d8fdbc78f0e9b02893b13f78beab17c16ada14688954841e5e380b2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
283c508bb300fe4081aa6ac81e5e6bdf

SHA1
9675fcebf9c8cda098fbc374b9d6ad9dca73d641

SHA256
2af8a207809f20f401f189fe1fb805d75754b4d78a91e6d55279b185e74b7ce8

SHA512
cb5f05be7a89215fc7dd6ea0a6e71a1bd8fefd80513a49feaddab70bdb1e3a8f48433225e781f5d15a783882f8be1e44cdfdea78d76aa7571769275906cff650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7407ed6eb82c0c912e7ae9cae97336a7

SHA1
dc44d9a0bb13b6f1665829ac84cbbf243f7adbf0

SHA256
b63b395bf7e8988f825637dc45914ebab845245b2292c8e89e3e7604fe4c69d0

SHA512
4b522847f16c1ec559a44fb989cdfca4466d9626b0c4d5d68ee666806965531c5e3c46843b6ef602ba6a02a2ccdf5954d1250516b15323ee24cd17db1a624811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0187058e1d391e1fd9033663c441b7ba

SHA1
5795b6c34d81523d625e858fd3a04d737d5929d7

SHA256
82d8bf5c4ddf4b890944316ccac52cdfd375c3e9eb7a140fbb6a076ca5d8445c

SHA512
9cff7d669cf39aa0f6a15ec51c09cf436d449c5d3a26cd27febcc901e4c6b108e4ea0af90f4038d79f3615d750e4944a2fd957d4b5b08ff3eb6fa842acd650aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
36870e9cbb8adbbde7d045fba92153bd

SHA1
572647e9e5b39daf890845b22524713c423ddd69

SHA256
66a979ae7a4b2f3de72c4f115a973d844175eba248342b7e783a1f9ca0ceb7d4

SHA512
e307a26723a066d478a4d516341709fc1823fb68b772de05cf0eae6fd62e1057208ff850f833ad322c6236fdca15a54c65c5cf3e9a04970feaa26a0ccf2df1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
dee2e21b217c27dd6fe81640c45fa2ac

SHA1
944c39fc98557a6543e5bdbd209802c2f17d340d

SHA256
2d64d6530fe33b7f29c05fe2dcde7335e34a4a869807f7aa205bc799ad5cd88c

SHA512
c25dc6607eafe7189fda7c6042d5c99dc0e7a5e4f7bf7de627380c30c098af7b0111044303b137cce0ae1e71200668d447542f8bb6f4055d5b6993951b1f2de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
3KB

MD5
7c187faf65e2123ff6b8564cce3487f2

SHA1
35dae9d77ad9b2f5156c147c09f13b615f4fd0f6

SHA256
081cb8eb4a4f1ce6577387ed6683c9f1f5e5e5bf9a0d48f13f5d7f5c0c400add

SHA512
8adeb4412c987529368ab387b25aff6b2a5b5f550bead4c609f206d9d504e93fbb708ed8798e58f15349c06ed3a387a9e098ebcc7e14740aee750c654bc3264e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzc3aov0.0hr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll
Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
f054f959e6bfa568bf50ef97e21dbe52

SHA1
4247d3406229d8eb0f5df7765df25c12e7907f6b

SHA256
c374388a2426ca905cfeb92ecebc62d1955bd508448c140f16c64b2e7d942e56

SHA512
cdb2685446e9987c62288a4dd90e4fa870e38c35d931c34ebc1dd0f6b544fdc8ce8f99b0c1bc670cb80f3ede929d02243af634ce33bc22cdaa9903f563ce912d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
5d626ace0d6cf21ed9ccd4a88f6dc3ab

SHA1
7ed096e329d28a48121072d24e76cc8d2ed73e84

SHA256
139f605be20023255f363a782c7bc4032622e6ae5740eb84f3873a918360f596

SHA512
18176e39047d9fd2898093b22b9fe0bb3bc7f138af862a2c87892848b9653818f54f5f7ca70948055a9000f426dc206f3cb4c4dff1d1755038b797c363eb3a76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
947cacad251070084d158014fcaf2d27

SHA1
502351f16aa493e6b5657818a1c6a82138c1ddc8

SHA256
bf74e97a1bc318d6ff4e8ace7912a5303474c0d90d9a5e860c10017e32d813da

SHA512
59baa060a2c65bcacf84e1c011ee7c4ba5e61ffb661586dc50b0ed457083b1c16d7c885f3de7ff08606636c194b19acd910d634c7af8cd33608e2c2fd0c43d94

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip
Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\޾ᷦ⮲ⷑ⿷⹄ᄊ᳨ᚮੰ࢟ᬷീ೥∲ើୟ᱀
Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
\??\pipe\LOCAL\crashpad_2444_EZIOBNHRQDIFTAEK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3292-590-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-579-0x00000209D0850000-0x00000209D0860000-memory.dmp

Filesize
64KB

Download
memory/3292-567-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3292-534-0x00000209D0990000-0x00000209D09B2000-memory.dmp

Filesize
136KB

Download
memory/3292-568-0x00000209D0850000-0x00000209D0860000-memory.dmp

Filesize
64KB

Download
memory/3292-566-0x00000209D0D50000-0x00000209D0D94000-memory.dmp

Filesize
272KB

Download
memory/3512-600-0x00000254C8370000-0x00000254C8380000-memory.dmp

Filesize
64KB

Download
memory/3512-572-0x00000254C8370000-0x00000254C8380000-memory.dmp

Filesize
64KB

Download
memory/3512-573-0x00000254C8370000-0x00000254C8380000-memory.dmp

Filesize
64KB

Download
memory/3512-571-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-578-0x00000254C8370000-0x00000254C8380000-memory.dmp

Filesize
64KB

Download
memory/3512-569-0x00000254E25C0000-0x00000254E2636000-memory.dmp

Filesize
472KB

Download
memory/3512-577-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-720-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/5068-721-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/5068-906-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/6128-575-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/6128-576-0x00000168F6430000-0x00000168F6440000-memory.dmp

Filesize
64KB

Download
memory/6128-581-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads