Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 01:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Sn8ow/NoEscape.exe_Virus/releases
Resource
win10v2004-20240508-en
Errors
General
-
Target
https://github.com/Sn8ow/NoEscape.exe_Virus/releases
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
NoEscape.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
Processes:
NoEscape.exedescription ioc process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "95" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 768 msedge.exe 768 msedge.exe 1280 msedge.exe 1280 msedge.exe 3260 identity_helper.exe 3260 identity_helper.exe 5280 msedge.exe 5280 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
msedge.exepid process 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe 1280 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 5600 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1280 wrote to memory of 1036 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1036 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 1444 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 768 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 768 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe PID 1280 wrote to memory of 664 1280 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus/releases1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e446f8,0x7ff8e7e44708,0x7ff8e7e447182⤵PID:1036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:1444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4712
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:1784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:4652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,11427395034349294340,1964793008842240144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5492
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:5808
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3913855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5600
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5d8a0f3ae569adc53cc77baac4b0439e4
SHA16f8e31295049a3c3b667d382fa2a7e5ffda56d01
SHA2564236578f27a4383560dfd9fc994cd46a9053dd5cf9e2acb9b21eafc6a3446fe6
SHA512459904fced70b0e6c80853c17e9ad7b46ed21cccec528e93fc6df726714c52871538dd6b294836d0aba2ed6ddd08ea940a9f146f1e131f87a80bc5513ee1c56f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53dd9e63a2c0ecebf969454e3f2e71fab
SHA1ab1bddfc2e35683279aa59bc460183150750291d
SHA256ff54560d12c37dcfe75344f0e7adeeefa553b920a9dbf0ef39ca78b3c90c9eaf
SHA512db501ff3a17a9a423b2519273ad1d3848ed8c260a4a17bccbed51e93d6e7d493e812d84610108a86761f2b276e87a427fd05be4f78408e0384b7443bcc6552bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5417debeb8690a29628358e69bcfef854
SHA1c57008f36a9faefe40040f5813539b4182d10292
SHA2569f01b25b07d90ba37a6461ab0c4dbc7c5e0e5c14a27cc1775bcbe5a5af4fd56a
SHA512e42884f163d74e82775bc3c40f39dfe13cc2474531f899641306db92f55bb822666732751cc3c6e13f7c031b24a4a7321057fe6e8fd3044641ab5608a4495434
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f7734fc51bff913a69d938dd91b61c20
SHA123965872f5dd040d53db4ef56cb218d942aad94e
SHA2563c13a6010cd00080ffd83ebf8bbba528efd9ad3111248cab3bbdf78af7576b6c
SHA5122a96df17e061283492bcf63c49ada35a11de606eab292a4673a6e70490bc098971f2dfc7a747f2ac17923b9ac7bc7d80cb73d4f078b5a4bb8ceb5947f98ccb6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5432b2df8f97dc6d7a49f0453da474760
SHA1d4285224ac3d2302fc4eb12ec69094caff680d7f
SHA25649efa56fe5562d46ce5b186085fb791323d45ad0165ff2b3d72b348c60a091a0
SHA512418273e27cd70ca8336e7de8017395ab3a29346a820d96f05008211b0a11870d1281e822be34d4fa6b054eb463903877cf47817c66b934eec2467c8c60ab2786
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD596295ab4858364f9ae8615e73695b140
SHA1c81ca4d734150a0e3e1fa6e9101cc3df377bc4a0
SHA256541341fc4d54f0ad2e11dc8644696b07c84f9656bde6fdf341008ebba8d94319
SHA512dc79741fd705eeeeb0c5263f03714b6f1d946a97baffbd57832ac3472d44832f5de449ae8ba3a51803969e09eca649ec900f33063715509721766f3979be931d
-
C:\Users\Admin\Downloads\Unconfirmed 751334.crdownloadFilesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
C:\Users\Public\Desktop\ৼ⾕᱄ᬉ෧カជࠥወ⨏⤱ᖭⲥ⇲׳ᚘᒁᐅᾜFilesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
\??\pipe\LOCAL\crashpad_1280_KCQHKQJGTNBQSAENMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5808-196-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/5808-375-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB