Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 10:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Sn8ow/NoEscape.exe_Virus
Resource
win10v2004-20240226-en
Errors
General
-
Target
https://github.com/Sn8ow/NoEscape.exe_Virus
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Loads dropped DLL 1 IoCs
Processes:
vc_redist.x86.exepid process 4872 vc_redist.x86.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
NoEscape.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
Processes:
NoEscape.exedescription ioc process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "151" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{5489D1BA-335B-4BCB-B084-11CFA1F26477} msedge.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exepid process 4936 msedge.exe 4936 msedge.exe 2444 msedge.exe 2444 msedge.exe 4220 identity_helper.exe 4220 identity_helper.exe 5880 msedge.exe 5880 msedge.exe 5308 msedge.exe 5308 msedge.exe 3292 powershell.exe 3292 powershell.exe 3512 powershell.exe 3512 powershell.exe 6128 powershell.exe 6128 powershell.exe 3512 powershell.exe 3292 powershell.exe 3020 msedge.exe 3020 msedge.exe 5356 msedge.exe 5356 msedge.exe 5356 msedge.exe 5356 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3292 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 6128 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exepid process 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe 2444 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4100 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2444 wrote to memory of 352 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 352 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 2588 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 4936 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 4936 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe PID 2444 wrote to memory of 3400 2444 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef88f46f8,0x7ffef88f4708,0x7ffef88f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3428 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6188 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1114628581697244650,3756084763949074501,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0808f762he96bh4a16haec3hee07419a1e531⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef88f46f8,0x7ffef88f4708,0x7ffef88f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2048008285653047131,935249480155215856,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2048008285653047131,935249480155215856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{460A36FF-7E91-4F92-8510-A3B9515CA48E} {EBB406EF-ACFD-45FF-942F-7819657FEF38} 23522⤵
- Loads dropped DLL
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3950055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD51d19cdbe13d1aade20e9926e790a7156
SHA11f6256e522703f359a56901417d3c292c828f400
SHA2561d24a65df782bf4d7a235d1a857ea4b5a7050a2175aecfd298d8fb801737d427
SHA512e0f3c3c7d1b370a12acb384938b2430f2e1b573e466df2e1d7ca13f66a84909ebb1ba9e80dac384b06f066596db7e3ec1df91a0261ac3a28f70dbc7e7bea94c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c6136bc98a5aedca2ea3004e9fbe67d
SHA174318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA25650c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA5122d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c6aef82e50d05ffc0cf52a6c6d69c91
SHA1c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA51277ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD59f981dc5957a2ac0189a5206c2918a70
SHA1a15407e23b1dba9a270ad425ea2c9e751e6a64d8
SHA2560400ccf6f351608045cceaafe5e00e5d84fd741bac181f27297963feff1394cb
SHA512cca7ce4d905ecd43ac021111139d37f0897a89a1f582e54c3ef2f0e9f7c410587c6048d2fbb0becbd1597bf677b16b7d552cb82ec59e776c14120fca9a99dc92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD53444f2e4d8cb909fa96620f828ff1121
SHA1ae20de4689462cf33324336b0c43b521cc57f5e8
SHA2569970b24049e3a407b3ee9e348a5280dfc0f58eb6305a87f83cbbfa6cb095d4f0
SHA5129b5e23577198dba1b7a4f1e440e15f0dfa54479c5cd427b5f112be7e43d492a10ba6bf0c7128899c08f26d53cfc4d5878776fc4b2db57e0a5676721f7bfcb183
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD59e032cba9aab57679a114c0bd2c3db71
SHA1f3e5971668b121cf427e305612e71db310f83d14
SHA2565b9fce96c53b934d77759f04887d13650a9ba7c1582a194ba30eea11c61627ed
SHA512ef510a647e579c1ab5200aeec1eb565ad0bae722859bf8f45a191732f4b4a50235c47c8b42e5f16a1566bf2f45f8f56acd3d340a567d3dbfad6c87cadcba82bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD589ecc71070980c139ed5aaf252b8e5b1
SHA11b5326bb5b28b9639cefdf1bc1ace170bf09522f
SHA2560d79209d5faa2984c8f4132f973aae1e234ce5a8b6dd6d025acb3250f9e1c1a6
SHA512bd772520313a398495f21e3e0df0b8ea61c79de4df686a9bd0c78f7c67ffa1902801ad12e81aa657c9d5163f4fa96e648d05f9ea07b7ce6e7e758960a6211bf8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5f7abd39b5f993e5439181a4e2e160149
SHA1cc3caa98aad580206c0a30183b71095e40beee76
SHA2560fa3f820e495b73d10844559d91aab081b549efe2a78d93e17b378ccfd1325fc
SHA5127b8ebdbf2d243188079fd6b279926810d708ed48be610f81db11b624ac534e9cb5ae9195e7df2c429eae968441cd6aaa9b37c82d8a6da55d07928de95f152a5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b82f7f4e9c8719da695271d5fb3b9c77
SHA13c8c0d2951ff337520cf9255e80c78d952bad35f
SHA2560c5f57aaa00d4d2e7bc63904452e5ff880def7e9af2245b3d99756b8ab415b16
SHA51206ad8ddaea3b533747909b8fa12365e7faeae9de7d41e7daae69076e6e2c999068fae0b7fcea7156abbcdf1050afae7c69f2614213411758855039eb6c4c9b0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD594f30ae59daaf3361738c2d165ea9417
SHA1a7f6e0aaf67d79a92f0ee4d50b347c25efd7ca2d
SHA256d55cfbfda3060bb1f4ba9e90575597420d07138e51a1eca6ee4cf37a0a7b7681
SHA512e2cb9f791dc031b073f090f6dcd51c415693727ca8e48e8d69f624436a17f28c554f26095c7b1191186ed8ef3575369b4ace8254200aa4d0123c53cb8a2687fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD599dacd7751ac42fb0f7893ed37ce8d2b
SHA11327b4b429e7341cd2b233048d242489a77685ce
SHA25682512cabcd219995802759abf9a5b18de1b250eac0aeaaae0c36d04b8035c313
SHA51202f52990c7f12cffd09e7ef471787d11a0c904086d9752aa6af8c3b1248fba72c23f90ca92aded46a36720aa2ce0da413b5602705cb3ac4891addfd5bd4ec0ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD526a06abafd76801f5353110290a6b3d3
SHA16f2e829809d911b21495e98dd7bb4f8f93327e99
SHA2566c76e2249ac0569a54191ff88545419db40ec82f034679fb3e4cf47623c98650
SHA512e1b42631706e2aca04c267d075a9cc8c63054e49b6792c58d877bc6bd748e0576786d08b59e803d1023e115bca164bcbe5196d32daf641e126f9e96229f6c3ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
866B
MD5c8fa7b190e1e419facd306da2b753479
SHA1422c25459aeb55054a2d8ce0a200aa059ebcc5dd
SHA256ec0ab872def7fc77e18d92f0f288cbbbb951c73c600fef85cd5cd206f39fa29f
SHA5128c51da26954588697d57d8b6ed83824fccc5a830fd5f778e63f1d94b1e203e6ea237e07bc66402137e7ed3c6314d02c7a90524e7591ce8336399212f20ae1a69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD549a9d20b4242eb234049bcc89416cb44
SHA1dd439b66500cfbc16fbc90633e54735bd3ae0557
SHA256eec522f315ee0e114fac7cb2bcc2066697026e9befc81e51fc1cb57bc0896cd0
SHA51275b8043b38c16e5cd28eab920b6f196b693029a1b6afd69935fefe76a4495b3d319aaae51ca6eab4f7aefa5dbe3a6f024591d1d4e1e7d261f6beac914663da0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf94.TMPFilesize
866B
MD5a99e0f5c4e95780869af6c21e68e7c48
SHA1de57af6523c74a3456ac13a0e52a380abbaab3ae
SHA25622c65e6760dcc8280d4766a9c5b3c4e05fbc60940dd56fe83ea2371c51156e1a
SHA5129337ff593c2ff309a94d0fa996587bbbd80363d1588fc3abd38f645faa17d939d57b780d8fdbc78f0e9b02893b13f78beab17c16ada14688954841e5e380b2e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5283c508bb300fe4081aa6ac81e5e6bdf
SHA19675fcebf9c8cda098fbc374b9d6ad9dca73d641
SHA2562af8a207809f20f401f189fe1fb805d75754b4d78a91e6d55279b185e74b7ce8
SHA512cb5f05be7a89215fc7dd6ea0a6e71a1bd8fefd80513a49feaddab70bdb1e3a8f48433225e781f5d15a783882f8be1e44cdfdea78d76aa7571769275906cff650
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57407ed6eb82c0c912e7ae9cae97336a7
SHA1dc44d9a0bb13b6f1665829ac84cbbf243f7adbf0
SHA256b63b395bf7e8988f825637dc45914ebab845245b2292c8e89e3e7604fe4c69d0
SHA5124b522847f16c1ec559a44fb989cdfca4466d9626b0c4d5d68ee666806965531c5e3c46843b6ef602ba6a02a2ccdf5954d1250516b15323ee24cd17db1a624811
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50187058e1d391e1fd9033663c441b7ba
SHA15795b6c34d81523d625e858fd3a04d737d5929d7
SHA25682d8bf5c4ddf4b890944316ccac52cdfd375c3e9eb7a140fbb6a076ca5d8445c
SHA5129cff7d669cf39aa0f6a15ec51c09cf436d449c5d3a26cd27febcc901e4c6b108e4ea0af90f4038d79f3615d750e4944a2fd957d4b5b08ff3eb6fa842acd650aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD536870e9cbb8adbbde7d045fba92153bd
SHA1572647e9e5b39daf890845b22524713c423ddd69
SHA25666a979ae7a4b2f3de72c4f115a973d844175eba248342b7e783a1f9ca0ceb7d4
SHA512e307a26723a066d478a4d516341709fc1823fb68b772de05cf0eae6fd62e1057208ff850f833ad322c6236fdca15a54c65c5cf3e9a04970feaa26a0ccf2df1a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5dee2e21b217c27dd6fe81640c45fa2ac
SHA1944c39fc98557a6543e5bdbd209802c2f17d340d
SHA2562d64d6530fe33b7f29c05fe2dcde7335e34a4a869807f7aa205bc799ad5cd88c
SHA512c25dc6607eafe7189fda7c6042d5c99dc0e7a5e4f7bf7de627380c30c098af7b0111044303b137cce0ae1e71200668d447542f8bb6f4055d5b6993951b1f2de5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
3KB
MD57c187faf65e2123ff6b8564cce3487f2
SHA135dae9d77ad9b2f5156c147c09f13b615f4fd0f6
SHA256081cb8eb4a4f1ce6577387ed6683c9f1f5e5e5bf9a0d48f13f5d7f5c0c400add
SHA5128adeb4412c987529368ab387b25aff6b2a5b5f550bead4c609f206d9d504e93fbb708ed8798e58f15349c06ed3a387a9e098ebcc7e14740aee750c654bc3264e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzc3aov0.0hr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dllFilesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
5KB
MD5f054f959e6bfa568bf50ef97e21dbe52
SHA14247d3406229d8eb0f5df7765df25c12e7907f6b
SHA256c374388a2426ca905cfeb92ecebc62d1955bd508448c140f16c64b2e7d942e56
SHA512cdb2685446e9987c62288a4dd90e4fa870e38c35d931c34ebc1dd0f6b544fdc8ce8f99b0c1bc670cb80f3ede929d02243af634ce33bc22cdaa9903f563ce912d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
5KB
MD55d626ace0d6cf21ed9ccd4a88f6dc3ab
SHA17ed096e329d28a48121072d24e76cc8d2ed73e84
SHA256139f605be20023255f363a782c7bc4032622e6ae5740eb84f3873a918360f596
SHA51218176e39047d9fd2898093b22b9fe0bb3bc7f138af862a2c87892848b9653818f54f5f7ca70948055a9000f426dc206f3cb4c4dff1d1755038b797c363eb3a76
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
5KB
MD5947cacad251070084d158014fcaf2d27
SHA1502351f16aa493e6b5657818a1c6a82138c1ddc8
SHA256bf74e97a1bc318d6ff4e8ace7912a5303474c0d90d9a5e860c10017e32d813da
SHA51259baa060a2c65bcacf84e1c011ee7c4ba5e61ffb661586dc50b0ed457083b1c16d7c885f3de7ff08606636c194b19acd910d634c7af8cd33608e2c2fd0c43d94
-
C:\Users\Admin\Downloads\NoEscape.exe.zipFilesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
C:\Users\Public\Desktop\޾ᷦ⮲ⷑ⿷⹄ᄊ᳨ᚮੰ࢟ᬷീ೥∲ើàŸá±€Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
\??\pipe\LOCAL\crashpad_2444_EZIOBNHRQDIFTAEKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3292-590-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB
-
memory/3292-579-0x00000209D0850000-0x00000209D0860000-memory.dmpFilesize
64KB
-
memory/3292-567-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB
-
memory/3292-534-0x00000209D0990000-0x00000209D09B2000-memory.dmpFilesize
136KB
-
memory/3292-568-0x00000209D0850000-0x00000209D0860000-memory.dmpFilesize
64KB
-
memory/3292-566-0x00000209D0D50000-0x00000209D0D94000-memory.dmpFilesize
272KB
-
memory/3512-600-0x00000254C8370000-0x00000254C8380000-memory.dmpFilesize
64KB
-
memory/3512-572-0x00000254C8370000-0x00000254C8380000-memory.dmpFilesize
64KB
-
memory/3512-573-0x00000254C8370000-0x00000254C8380000-memory.dmpFilesize
64KB
-
memory/3512-571-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB
-
memory/3512-578-0x00000254C8370000-0x00000254C8380000-memory.dmpFilesize
64KB
-
memory/3512-569-0x00000254E25C0000-0x00000254E2636000-memory.dmpFilesize
472KB
-
memory/3512-577-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB
-
memory/5068-720-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/5068-721-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/5068-906-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/6128-575-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB
-
memory/6128-576-0x00000168F6430000-0x00000168F6440000-memory.dmpFilesize
64KB
-
memory/6128-581-0x00007FFEE5430000-0x00007FFEE5EF1000-memory.dmpFilesize
10.8MB