hxxps://github[.]com/screetsec/TheFatRat

Resubmissions

11-06-2024 17:36

240611-v6n4javglk 6

11-06-2024 17:26

240611-vz9rnaverq 10

Analysis

max time kernel
490s
max time network
492s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-06-2024 17:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/screetsec/TheFatRat

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Loads dropped DLL 1 IoCs

pid	Process
5600	vc_redist.x86.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
20	camo.githubusercontent.com
25	camo.githubusercontent.com
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	camo.githubusercontent.com
29	camo.githubusercontent.com
30	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\rescache\_merged\860799236\2353875992.pri	Receiver.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626004267066994"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b763576125bcda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 29f0226125bcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2772176625bcda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0022286625bcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8dee416125bcda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
5024	chrome.exe
5024	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3620	OpenWith.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
808	firefox.exe
808	firefox.exe
808	firefox.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
200	Receiver.exe
680	helppane.exe
680	helppane.exe
2308	MicrosoftEdge.exe
4468	MicrosoftEdgeCP.exe
4308	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
3620	OpenWith.exe
808	firefox.exe
4324	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2164	2272	chrome.exe	72
PID 2272 wrote to memory of 2164	2272	chrome.exe	72
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 3224	2272	chrome.exe	74
PID 2272 wrote to memory of 2828	2272	chrome.exe	75
PID 2272 wrote to memory of 2828	2272	chrome.exe	75
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76
PID 2272 wrote to memory of 5100	2272	chrome.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/screetsec/TheFatRat
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb4fb79758,0x7ffb4fb79768,0x7ffb4fb79778
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=764 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4932 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1756,i,9360768582393715223,8933279090497381642,131072 /prefetch:8
  2⤵
  PID:5984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4744

C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe
"C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe" -ServerName:Microsoft.PPIProjection.AppXyc5005t48873jyf8bjkqmmpy1ga90a9q.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
PID:2228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4392

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.0.2106904658\1539834133" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a39d0f11-95ae-4248-9105-e403fd53a137} 808 "\\.\pipe\gecko-crash-server-pipe.808" 1812 1eba1ad9d58 gpu
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.1.743985132\714845600" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2128 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e75fc3-a962-4153-877f-187daf083ac6} 808 "\\.\pipe\gecko-crash-server-pipe.808" 2164 1eb8f772e58 socket
    3⤵
    PID:1132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.2.1335388916\437979550" -childID 1 -isForBrowser -prefsHandle 2664 -prefMapHandle 2676 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8cb01df-b0a8-44ec-993a-399388a48378} 808 "\\.\pipe\gecko-crash-server-pipe.808" 2780 1eba5caf758 tab
    3⤵
    PID:2912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.3.1301170542\1208461866" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef504936-bf21-41da-aa8c-be4f7a0dd6a8} 808 "\\.\pipe\gecko-crash-server-pipe.808" 3524 1eb8f762258 tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.4.878369898\1555951413" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 3640 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69e2dcdc-8031-4d7b-a8fa-e2d1ba467255} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4308 1eba7ad9158 tab
    3⤵
    PID:3220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.5.1633710746\1995720711" -childID 4 -isForBrowser -prefsHandle 4824 -prefMapHandle 4808 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95bbbad3-3b3c-4499-a4fa-4f444fb4ea29} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4832 1eba81ab458 tab
    3⤵
    PID:4032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.6.12045223\1779513308" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd15abc-c147-47d8-ae2e-427322cd315e} 808 "\\.\pipe\gecko-crash-server-pipe.808" 4968 1eba81aba58 tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.7.1978429309\1218758267" -childID 6 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9ec54e5-8e79-4b56-807f-c4985dbf46f7} 808 "\\.\pipe\gecko-crash-server-pipe.808" 5160 1eba8830b58 tab
    3⤵
    PID:3200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="808.8.1157544489\619954043" -childID 7 -isForBrowser -prefsHandle 5600 -prefMapHandle 5644 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cb2b9c2-70f1-4708-9e3b-45b995d1ac54} 808 "\\.\pipe\gecko-crash-server-pipe.808" 5656 1ebaa2b4858 tab
    3⤵
    PID:5624

C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe"
1⤵
PID:5564
- C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe
  "C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\vc_redist.x86.exe" -burn.unelevated BurnPipe.{9D0BE412-92CA-46B4-A8FE-33DAF164FA39} {E5921849-D3D2-490F-9103-B6DFA1B0520D} 5564
  2⤵
  - Loads dropped DLL
  PID:5600

C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe-Download-main\NoEscape.exe-Download-main\NoEscape.exe\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:2160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a82855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:5404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
20KB

MD5
32940154aacfd6a789ba920303a6f9d2

SHA1
fc3d11ee786fce81af7a67e7665281df198413cb

SHA256
3ba01080382954095923d8a2c5fa4e9d743d9d9b57a2b39ae0906072892b0a0e

SHA512
5abe00a74b577eeb3daa3537fd6a68e230220fd90613036be343d5220589e0fc861475b450c58d37abcf4061a0ec264f3a7ec1115c8926bc52f88a6167df9d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
18KB

MD5
277fdee241a520433873c520e31bbc7c

SHA1
28ddf5b9f1353a3acc38a50d8461a791fdbabc4a

SHA256
743027653f691df64995ab146b00c862b25f3c0d97e90b25e0ba0060ead8df9a

SHA512
f2770681a541ee93d159c663a03f2421b5280f736256f44fb834fd165db9d8e0e1bee5eb484dbfedf4e324862322f0c462af0ab5b4389e366f3d716e2b1273d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
202KB

MD5
6a16cbefd2e29c459297b7ccc8d366ad

SHA1
40da0213a9e5ea4cb6948f4a8e92b5e8b97e6cfe

SHA256
9462da5aa6e2a762b02a24b7305bac86349e5b5ea182d36fd6a163de550cde60

SHA512
6a9de0231f9987554a20208a89c6c802d28c57ecb6f9e95771c94156b65c61ac1e18298ce6d3f0559d3a08052845cc2014dab335e119fde731d745e4857b7d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34ecca9dff28cbc0b9c49c0f2040d403

SHA1
1377b750aa8cff27d09a7d0e3514fc854bc947b3

SHA256
8a9231969e70c1921d67220342059465fdf94d7f3966a80851a94b42bdc46a42

SHA512
27f18a0757b7cc2472004d8da2284815f495d0f3575f452ddff7d889e824d89bae2e064030c49519964e53b4065024c360d386e1bf6323f5759abcec75582b12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8055aaf483a88d598f924477cab5b904

SHA1
c536d5544cdbe5d34c80dcae8ffa4360efe37ba3

SHA256
027dafb3d7aee563c11f7f6b8066d3cb46b6615f3adf01389d317e111c03a49b

SHA512
fdcc93fa233de41deaf9832b559d9734e52e04211efff3117a07f92878d47771a7da13ae5896a774c1bb00a332080d7d36753ce239280d05bf7e0af7dd183127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
eb990d40705eaa863e2a514ea3db90df

SHA1
abf54f56b7688ae4a13b23e223098750091c2983

SHA256
3489bd370250f8156f5374493b6a6c1b17a5e1b00e81c848c78594a250ba417c

SHA512
1b0e1d4a9e4ea3b78eaea43cfffb251d8e4aa5d9b9185cb6ea8464e2fbaee484b3e54dd136f991fc8d1eeabc8c3d887e92ba2176554bdf24d6dedf7dc0172f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
370935f9d7e1dcf0ec7d17e422d09b14

SHA1
a92c636a660b250ddbc74134e5520e51dc110187

SHA256
3318f9233df70edf87125b33c436e5e8bb30a62b63c1df8791a519ac9c0bae7c

SHA512
28c96b526bba50aa01661a04b671666215fdb0201ff38432dd377985755aab9ac7d25dbdf2b36af1acb4890e6366625756be64441cb0ed82532585ea106e6586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3bade2cfdff902cd4bee3cee654d5f24

SHA1
986a46f2f22b60ab37d7ca3eb9b059176cb68c82

SHA256
e4b241c259d3853e22d5bc90487860d54f160599dd48e8193d89b0bdb27a5989

SHA512
b5a4f7a269183e177e9bd2e0a834da541894bc3fbab3d2e5f47611f472428371c5373c86f47da37e1ba1bae18fa15dead43fa32959eac3cfc2eaef3433d35f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b7435935ed4e9c3615f11d445c90315c

SHA1
ecec94107a80f48701fd963ee57f0b89b286f839

SHA256
6221a72dd3bf1e57c9cc48fd98d79da77f3797dc3aa33ed37d35d36bb9fe777b

SHA512
a7e8cb9b6c07881f25e1f69a5a6adb96dd2df0cb2df5eb5556c14e4d225910a7aeeeadeb40a07b18611524d1303c5497e2d2e4c543858ab75ad7fe24838e3b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d0f112e34454bced54e53fb8051cbc87

SHA1
f299d1ef24d3aa190e06701e682ae1222b57aeaf

SHA256
b1b2efdf6ccff82760c82d398288f296c3bc74b07b97a4681263b4a4ac449013

SHA512
3bffb79cc27895bfa12cb3cd9269f57a1451c34f98624c09e29dcb57b098c5d7d3752d60d704b4ac146306b5d2314bde84b9f1f1937ee141b6dc3f6e8f2a9c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
13b35af9f2da9c3d56f80b9e702ab25b

SHA1
4e96795d603c45e00cd66c3bc74e481add004e59

SHA256
1e7485fb7cc7ff4ca0c99565a5255526b11010d2c62b24f5fee3ebbe6328c6a4

SHA512
967087bc980951663c200f6b18f5a6538908cbd44ba1b56001215f1218604d4f937446ae2b461041690ee8d7bcf20a9f19794adcda12732f88d7a4e96e696921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7df0532aedf42b6107086250701e8d83

SHA1
a2e7ef64cdd700a315e20879e3ea4297f8bcc86e

SHA256
67e34fa76df682d1ab647e7cbf87a86dbb804af9d508ae9f3849c571e86acd43

SHA512
10a70ee2730bec158a9deaba4614874f5b7c2e424f0a132e9547416fdaa7b55f01156b53a66ceb85d1d25e6fc99136e1d72f16e4a47cc7dda3f8f68b1272ca71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b68fdacad2f9720234d54614adc2f274

SHA1
69b7e906c4ad97b1ff0bbc737c689f591699b60a

SHA256
b212d08de6570ed709d76889e77416ea6b56de46371ce1df0edf5ad163821344

SHA512
0fb3c570090dcd7c798d4c1e00289c43e577659ab7925ae21b81c62e726ad7e5f958161249af66f912b4bea55dda4d11876f5397e0512c5bbfd8d8f3bdcecd5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
20ae0f32b07db09d33c311a08f98bb0b

SHA1
1428788abd8cc69a2a02985bfcb3d842394087dc

SHA256
7b5362c1b67947e0235a029f3bc1aba5873197add210b1b4558d8e2a6ef1fb29

SHA512
8e66af7111c0f7a2e75e37883ca2f1cdd3d0cfe19abc14796dfcbfd63d70b73e8b4d85b5a7018d35df6599930d9ee601e62be1b7ded7940a47afbf43671133b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6977d040ca8a9f9f56d2097cbf1a0187

SHA1
47d7c4be5d16500eaaeb0322369927e7d9b66eab

SHA256
25141b22056b9793a4fbe58ad2f9dd6d921f076b3ff60ef59699a6a527dcf644

SHA512
b3a89ab5e4b388d17cde9592ac64bb6ea0a8885b3bb987e0fedea8f51cd0578e5f8c3515174f11387a9147cf3bf94640382f46e526d7dfbaacf516473b5b2028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cef7e0c1f95a56ba1e6899209ff19f4d

SHA1
72f2d7a6e4d2fea1f6502479f4ec7b16b19bff83

SHA256
80775c0d6c0f067e92d5447e8203710985dbfd73a214d0ccc17d99bfcdd69676

SHA512
dbbe988642f03a1b6f9657b5416e56bda7ac5799ed1bcedaa1e6c33721cc5c6c51ac2acc6904729de290541623578094c8f73cbafb56035ee01e0fb8a94b7fc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ee2092ffdd6fe2ea45ec02f8c5070b1e

SHA1
1546ebbe84bb43f221472e9ac3d2aaa8482e9d09

SHA256
2c263f052e2b770b580f4c7a16067303f5a6bbb0edf92d3fa7f337227fe3a0c3

SHA512
1c5bb855a085c183e4f1622490533dfdaaea0fa06023d127a1c60aa9c17ad3ddd73a6ff5585a70f0361f521f3911ab0e2d6e67ad490b2e425dbaa9758d741a8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
33ceb4f3f923bdffb8b19b1eb5986ccf

SHA1
bb70d0f790b40372e69d2b108a4b1b610d019c18

SHA256
1b1c93b58b6541ecca59bee6090efa3f1711f433fceed3e8e121701e9f93b37e

SHA512
85fd596cdae5d941426962ba2fb694c149f577bde2a0ff3823bc6e98affd931530edaa8faf0f47add77c246db90b98bc42dc0e7b8b5954172e761d44718e55c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ffde2cc00528cf1af12e9db8208da866

SHA1
761af09089c2d2ba91e5c191ef61cb07892001b9

SHA256
5cb18be89ed78b04923ec13b9c06dd6c13df19941f0139b866759c70abc5bc82

SHA512
c2271228e9dfb45712173954e2e7da05177b253f4e055e74bf70320a1e50a5393efe0182ab693dad0b0d38ad57032a8b9f616fa295a0ccb906165afc0b4d9652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c6fc96ecd46535763faf88f3c862b93

SHA1
ca828340812cc52a8793fc752e22b5841ad1c7d3

SHA256
f97d7ec0932fe96b650f3133d1d51b93caa103a8a349b3d7643a2108859f1401

SHA512
395738e1c82245c57c4ca22bc14a45e89d4c0bc12a59a8025910d1de94c01f4f2cdf54e22473e8f06dfb2890b173d35e3f4cfef335c74947857a6f322a8eaaf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3d98837ffc9892a0545afa3d60aa7ff2

SHA1
8a500eeb10964bcf35a572d65a762eb9788c5cb0

SHA256
7bea4c3c8878afe36147d423f048620d3262b1b1f2cde96a1676f5869b7a60aa

SHA512
2b019b61ca1cadee5123d4121fe853d81f24fb32f696d457c23a4d7b5a480b0ebfd6fdf9a8d77ef7676ebe29717b4225f9ff5a5655cb7a2a26ec3f3f19191a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fa4ae121cbb12bbe9f34374dc9436d54

SHA1
cc08cca04c6330c055f54ee123faec9dc9c713b4

SHA256
00063cd502728cd5cd033554e79c95fa71e5d58f399e30da4ab8051284d878aa

SHA512
6f6b29c219615136425c078f308ce856c706a6562f1f8711ddfd8e648a7c5013d27f2bcb13dafa3325ae03b436997960aa632d07f096e0fc3b96dab109fb059b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a714fa563f298591593668b074e147d2

SHA1
ceadc651beffde68097a918270e6f4f75ebd8e01

SHA256
c4fadf3e2350328745ad0ae40fef6b104de2cd11e573d06976c95507260dc9d1

SHA512
82662d2f3ec5133c21430c6b77da2f0ffb88b63fc82dafb1e09b65ae426b4f118cbfacf4cc584bf02177f7aca750527df690542370f5ad36699bacf8b2f54d63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2bf5ec1ddb9978b0b8992a539c73aee8

SHA1
a962f321a1ced72834566a81e664d862d8113854

SHA256
f0955c2d52c8697c7bb12207c13033c45b3d0de789b4356dd668aa88684c149b

SHA512
bd8be6a4da05352e2651025821a32c6def9af831ddd4704f716b222121a513b72d3629b8d9d372db435c9f922cb759095c305652ea55e376835e4958a8613d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c331e60148d5c295decbbe3a544acdc4

SHA1
ba6869b709c8fba89caa4edd242b3d201addd8ee

SHA256
8105fbae00e13f1f586e8f342d69c5feabdafc64306cd989131a6214a28b1c0e

SHA512
6453de92a9a22b2be97a9e14b42a8db8802209d6df44ed41964eea52f443ff2f7fe423853c99597bee6b754ef94e0b1c7589f3a277aff44c53241928d759fb5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
f315d62ee00e69b57e3be9e94da48341

SHA1
f5901280240b655079c4f905af877834010f7dd4

SHA256
2284afc1e5e02179ba5147a83cf20c058c51d9eeddbc4542a2db6e1f8506f722

SHA512
5e0d50fba4f0f189412e2933779f8ecaa4bd37af07c30fc337827e7d4e4dd859a2b9e59a00da8a876892856e155d61569f52a8f749cb9a4a03d1921c51dc9ad7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
b3b36db3951719e4497c98ff7a07925f

SHA1
7d48011c0f0a576dad9b9110d6bc8a7546bcd935

SHA256
67accf86f0b2595a5e2c616e213ffe85eb33031d7064a39f69139568bb5d1a1e

SHA512
c864018ede241e15bc5cd6f62c9a74ec0eae0190fbcfbf762076d7c0a38a08cbfb50621a16eb7c98ac098b5500874f5e4a9fd56e4599a8423f7640bd36d3f14a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
45ffed6ab4ac7c69b8d197c0685f6125

SHA1
436cb44d9a97adb74726e58559a08d87a3e537a9

SHA256
564504b0391099d4f9970b982561fc7d5915bfbdc0b1f9ec699a8cf0134d6c8b

SHA512
cdc5ec839c5bb8fd25070c77856840f39941424eb3c1f073231640b14476bb871e3c41ed50ffd84489bc6cdecfaa1c165cfff4f4e2c14285150fe53f7f91f966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
825af58a2f7fdc3acac2f00a1df7e178

SHA1
cf0bb3372e5ded4e3a7e9b42cc28f6d46effb5f9

SHA256
881ddfd81c73e15f486faaca56c5a37f125439da57fe642af91632058cd16ea3

SHA512
6b1085f2ed5652e073bae27b9189add989d56c87baaf083d11c707994f1cafe27fdc80519ace16a5db6e98780b098f9c94f5ec052a2b50ac69bbd3654c2e91c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
69e8c2bf41154415ba632ac7d045a9c7

SHA1
90240b83f422a9a5d3649e85b18385dcd65f3239

SHA256
3619f83bc15e0c4c6e1fdd02be828ddabd3b6f1edc18bb403007c66bf64a3abf

SHA512
ead511ee79d2ec25aeb7b3647c28358a64982362415ae19871dcf16d6188c1688a737c1ef02ee2f0c4023364713cd43c93698cc0e185104bd191b773adbf9156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
8a5bb837eefdba60ebafc97c1a8f61e5

SHA1
03947d21449f0d3e8a7a43673bd4a43cd7598ef2

SHA256
5c317557a5de03df2e37e8b9b2da21ba77c5c90105f7d9026e18ca67efd6670f

SHA512
16024ac2066fcb1f75cf193b2994c28b88a91c81f6f9b2a6682cbc890a9b4ab2752d9bc81a7a993f8d04bb08ea5be7dd05509ae19a205a24bdb05e6cc8c7e8a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585733.TMP

Filesize
97KB

MD5
c953ecb4aa4fccf2263765f7ab208b08

SHA1
2b466a8890c001d99991b5f643150cf58a48e5e6

SHA256
c5492b84e5650886f4fcaeff952c1f8f02a1f8b91ccb1703a86bb834df8dfc1b

SHA512
40d7335cbc0773453b0ea247acbfbea6923b71b1117c392f71f50f30ef66ae1f799ce3ce8083abe782394765d9036c5c6200c7419607b48babce9d0d73f1e3b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\E469ED0F372A44F05D97518BB8790E844AEF57C0

Filesize
33KB

MD5
8815206fa567a481a61abd9f626f50c0

SHA1
6404adf6ef1353dd9930ddb04cf7aac89c101eb1

SHA256
9d5e50d1b1fcef0d8656fe416257314d10b65791829c311a0cd71e3d28fbe309

SHA512
94324d2519345a5f5045abd86e850a0d3a0b8614b0797ccbfea372eef07d2abbd35229c19d4cc3694edc39dfbcdb92b51d654c6c5ced6eeab7b2d9848ad64f03

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2B28071G\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF9C99325567FFAA69.TMP

Filesize
20KB

MD5
9a723fcfdd1859e682bd4281816f7f9f

SHA1
80c5b7161c8ec1c24fbd51ca4007bbf5fee89717

SHA256
757cfe164092d3474b961e7391ffe48be1dcc56e94c82df3b60c034f6a339ec3

SHA512
db95b7090496b4929bc06b7ad4638102e9ef226b05a7abc0b62ab964a173bc8791ae6d072276f2279911c596ee5619bee62ff2b204be9947f06054212d4e86b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2408284e95a36bb5ced42341707cbc7e

SHA1
1b74fe58391e6bdbf7b4021188dfba6ae4282fa0

SHA256
dfaab89d1fc675f2cbde866ac0ab2880e4e8fc8f07740ae4b4329beaa215374c

SHA512
6929bc81bc279e126b86c1b0e21ae4e5d7eb73194db726f4d7a95b320920df48af42e92a72c24e65d35455fbb0b580108a32289ff904d8824e54f707e1a68822

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\1fe8c762-c85e-437e-b3cb-01993272cf1d

Filesize
10KB

MD5
4b4adc69e00741b23556669d65e550d6

SHA1
3c554a3e81e3a5338687d2c189bc0c99854da586

SHA256
33d243bd3a63c4df8cb3514c2937178f41d1704947cfa5a915046285b4ad27f8

SHA512
b1489779fe09d12f74272fb296fb8146818eabf3515895d0e8f5de08be7f3082d707bde11608038607a8759745120b369948ead6b3a6e9bfa713c8a7dc2347cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\53c09d96-31b6-4e5b-bfd9-8f7c5484d458

Filesize
746B

MD5
4b1833df2ffd90a83f8d118859134c64

SHA1
cfe154947993fa28ea4308dff6d1190cd543441a

SHA256
9ff99b4ac5098e2b4d230358932560e440ca0696259a5fea618562188c3341f9

SHA512
c84bdb2a3241b1da443119192530479337d549c23b6d7fe264ddf97b451afc9b1e841fe9ee45696e44e9e561ff990be961956c6ae0c32a11a2e9ee96c1b723e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
1b99634886ded9327b02f06897ff2815

SHA1
a7529b28456a2db488068ef89bc5ab00504ddb8b

SHA256
22eee54b915f2a87726d3384215c69455222e01c35172ebb5e00b38300813b34

SHA512
6e7217a070c74a39649d0bdb4b2e6083367ab3908a519ea70e9196ca8d576cb250ae653f921c8aa96b6a07f516c3c18dcb169eb9c56cfcc36feb864792fe4321

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
a568d837c97f0bd00a22bb710035d100

SHA1
e8b2aff34afc1f65f5b36f50e5675f78eb7d6f1a

SHA256
61e3bf6e1aa9dfec4314c29be45ca4dc2c4edcf81d2355efd5ccca4bf0a301fc

SHA512
6be5f006825a910d26fe7ac79ab41dab7df3d1ad1b70a3b807aef0450cc2474aec0a921236b6219810f2962bca0a075bd1435f9c9d3b4debea03878782b31bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
6KB

MD5
71d298f58089a6e5aad9ca8925624e79

SHA1
5979871cda2587a1b3721731948c76329be48130

SHA256
879cc0c2a7ddda6d3ca44a2ab30e898072774c57e67d54a75ac2cd4f21e40de6

SHA512
0413113f6e9ef8ba433e000de3760c08b314170ad9965a784633dc8e597fc136992cc69d495f81fc8b224c7a63dbd941e5dc252fd1955eee6c890b42c546a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d68ae1fa89880d0a2bc8f0ac75828a2d

SHA1
7a253c325ff2b5816846ebb32ba643a819da8f25

SHA256
36deb374cf41b0eba75297f8ad1b8d6c1d63d2b8acb0c7034616bf6bd6fe177b

SHA512
5c2f520bb8f11c1bf8a3260700ce365c58fed2a4d342958594a01141eb0e449e190a8bf34036b8ba7cc60dae59cf7da91f7d47230d90424c26b8d3fc739a1834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
09b0c5aef7903febe4884d8723e6c05c

SHA1
24696e78a4af3fbf9cae590e25d5390a1c3192ef

SHA256
fc53262674415c4d7630c889276610c752354d8fe65c75e99131d04a59d7f583

SHA512
eed02a9acd5c20b7da188912bbefd2d7be4cc7ee9e8a121366c3322ce8811286115967f32a170f207125df838fec240d076620c94c6c11cc5d0e88f53d26ba97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
4f89d4ef034428c57a322836b3551739

SHA1
9054be12bd242cfde3f65ab562f0dc75f52bf150

SHA256
6b5aa13b4c03774c8c4ab1ec18364307a75f6c4b91a5cddc87fbdb8b41383dc6

SHA512
97ad8f399858975e90bb2fd265a3ccbafb8023111bea2b22e593f46ec1b5f5488ebc742ee5455a1e0ab32e07943d41b68fc1b5e4f0bcb1af9686ff5af8cdcca7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe-Download-main.zip.crdownload

Filesize
13.5MB

MD5
6da84fd648c8811cc112f4fffe20a24d

SHA1
ba4f8d7fb51ee0a31b068cca51d5e5388c4b081b

SHA256
7b55dfab141eb69abbe47267e396fe8ee6bc4054fc8d4a5d91049b950c7d84aa

SHA512
0ba4c4379b77b465aa13af7ec295a9e7cc1421cff76e735890f46228af2f500202f879468322ad59b6d6ab06710828536ffcddee23093adf82498a365fee6bdb

Download Submit
C:\Users\Public\Desktop\ⲳ⣯ᓕڦᯛ݀᫮᥄ࡦ⇊☧❂ⷝᆊ࿈⯲೼ত◧

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/2160-1688-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2160-1864-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2184-747-0x00000241BA140000-0x00000241BA160000-memory.dmp

Filesize
128KB

Download
memory/2184-441-0x00000241B9910000-0x00000241B9912000-memory.dmp

Filesize
8KB

Download
memory/2184-418-0x00000241B87D0000-0x00000241B87D2000-memory.dmp

Filesize
8KB

Download
memory/2184-416-0x00000241B8710000-0x00000241B8712000-memory.dmp

Filesize
8KB

Download
memory/2184-979-0x00000241BBB20000-0x00000241BBB40000-memory.dmp

Filesize
128KB

Download
memory/2184-946-0x00000241BC050000-0x00000241BC070000-memory.dmp

Filesize
128KB

Download
memory/2184-940-0x00000241BB300000-0x00000241BB400000-memory.dmp

Filesize
1024KB

Download
memory/2184-737-0x00000241A8240000-0x00000241A8340000-memory.dmp

Filesize
1024KB

Download
memory/2184-738-0x00000241A8240000-0x00000241A8340000-memory.dmp

Filesize
1024KB

Download
memory/2184-531-0x00000241BA600000-0x00000241BA620000-memory.dmp

Filesize
128KB

Download
memory/2184-414-0x00000241B84F0000-0x00000241B84F2000-memory.dmp

Filesize
8KB

Download
memory/2184-422-0x00000241B9070000-0x00000241B9072000-memory.dmp

Filesize
8KB

Download
memory/2184-443-0x00000241B99A0000-0x00000241B99A2000-memory.dmp

Filesize
8KB

Download
memory/2184-420-0x00000241B9050000-0x00000241B9052000-memory.dmp

Filesize
8KB

Download
memory/2184-429-0x00000241B90C0000-0x00000241B90C2000-memory.dmp

Filesize
8KB

Download
memory/2184-426-0x00000241B90B0000-0x00000241B90B2000-memory.dmp

Filesize
8KB

Download
memory/2184-424-0x00000241B9090000-0x00000241B9092000-memory.dmp

Filesize
8KB

Download
memory/2308-1132-0x0000025644A30000-0x0000025644A31000-memory.dmp

Filesize
4KB

Download
memory/2308-523-0x000002564C0D0000-0x000002564C0D1000-memory.dmp

Filesize
4KB

Download
memory/2308-524-0x000002564C0E0000-0x000002564C0E1000-memory.dmp

Filesize
4KB

Download
memory/2308-1125-0x0000025644AD0000-0x0000025644AD2000-memory.dmp

Filesize
8KB

Download
memory/2308-1128-0x0000025644A90000-0x0000025644A91000-memory.dmp

Filesize
4KB

Download
memory/2308-382-0x0000025644A40000-0x0000025644A42000-memory.dmp

Filesize
8KB

Download
memory/2308-347-0x0000025645920000-0x0000025645930000-memory.dmp

Filesize
64KB

Download
memory/2308-363-0x0000025645A20000-0x0000025645A30000-memory.dmp

Filesize
64KB

Download
memory/4308-391-0x000001D40D040000-0x000001D40D140000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads