hxxps://github[.]com/FlyTechVideos/000exe/releases/download/1[.]0/000[.]zip

Analysis

max time kernel
220s
max time network
223s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/08/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/FlyTechVideos/000exe/releases/download/1.0/000.zip

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{420D2710-E1F6-49CB-9004-638A4C51CC41}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\000.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5100	msedge.exe
5100	msedge.exe
1644	msedge.exe
1644	msedge.exe
5004	msedge.exe
5004	msedge.exe
1892	msedge.exe
1892	msedge.exe
1268	identity_helper.exe
1268	identity_helper.exe
1648	msedge.exe
1648	msedge.exe
3484	msedge.exe
3484	msedge.exe
3300	msedge.exe
3300	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe
1644	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2500	OpenWith.exe
2500	OpenWith.exe
2500	OpenWith.exe
1100	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4908	1644	msedge.exe	81
PID 1644 wrote to memory of 4908	1644	msedge.exe	81
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 2836	1644	msedge.exe	82
PID 1644 wrote to memory of 5100	1644	msedge.exe	83
PID 1644 wrote to memory of 5100	1644	msedge.exe	83
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84
PID 1644 wrote to memory of 1888	1644	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/FlyTechVideos/000exe/releases/download/1.0/000.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb03ea3cb8,0x7ffb03ea3cc8,0x7ffb03ea3cd8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,5035040679066999209,15339580484807871740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D0
1⤵
PID:2220

C:\Users\Admin\Desktop\New folder\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Desktop\New folder\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d1055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70e969d4a2b40aef8eb0736379c0bcfb

SHA1
608c4fdf0e6b820eed23b793884e11210b32be58

SHA256
82e6cd647225c2781d32207ca56e1bf5e85dddabdfdf67a469c6e8910062975c

SHA512
e38f13e75d7a74400b1c21be8c5d8045c366078c4bfd7a25de86a872a22db8b383484c4f044d433f557ba3f181670398eeb7322fb6946a3bfff03875576b596d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc36221d3cc9a4657faeb51e3ea7023a

SHA1
22e3f8e68b2dd3992d544f8ca57c48c6878f77f9

SHA256
f393d5cc1a1b59d1bf0f19ade21515652b60bdea4b2d11780b904eb90fdd7b4b

SHA512
1d831b911b8e6970f3c829d7aed3c7d0faeb3f986fa029c8db8e2b2ced40898ad96b26311e620300ecd6d5a71f444582052b9ae11c4231224010096105bdb117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d54aeb9-69b2-44a9-b561-2762c9c94ffc.tmp

Filesize
6KB

MD5
60727cdd0d911c547581946cc3f6b98c

SHA1
adb10d938d484de4ed691ed8bd9e0f31fbad4af8

SHA256
a9cd8364ab66467618cbe4581327807e6163e86ff5b1e408f0bcf875f9373a67

SHA512
37b57bb7336b0a92853263bbb7c7c985db09c586517e1707d94fd5e66e65809fe9d83c34c15cd2954a264922a6b229b07f56ce6688a633ca4b4c4bca33a7f63d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
0aba6b0a3dd73fe8b58e3523c5d7605b

SHA1
9127c57b25121436eaf317fea198b69b386f83c7

SHA256
8341f5eb55983e9877b0fc72b77a5df0f87deda1bc7ad6fa5756e9f00d6b8cac

SHA512
6a266e9dad3015e0c39d6de2e5e04e2cc1af3636f0e856a5dc36f076c794b555d2a580373836a401f8d0d8e510f465eb0241d6e3f15605d55eb212f4283278eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
27KB

MD5
c3bd38af3c74a1efb0a240bf69a7c700

SHA1
7e4b80264179518c362bef5aa3d3a0eab00edccd

SHA256
1151160e75f88cbc8fe3ada9125cc2822abc1386c0eab7a1d5465cfd004522c8

SHA512
41a2852c8a38700cf4b38697f3a6cde3216c50b7ed23d80e16dea7f5700e074f08a52a10ba48d17111bb164c0a613732548fe65648658b52db882cacb87b9e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
18KB

MD5
6dd7f12496a6b9d4e1b8260432ebdcd5

SHA1
1685fea50adb3854684e5c3b03f3495ad2d05dcb

SHA256
ccb79d0bbc1944cb5d70fab3b26328c011d39d20562d7a89d8815d1bd8d0586b

SHA512
ec7b0da819e2082a5e9842c1788975db5948bd65cb8a6ac7b45ead5dbb8ff63dc5ec857d5195a60538a78a5a6c554f4b0210b80b3688e5d561621a800e5c162e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e535bb1ed1fea62c45a2492cba18ec22

SHA1
693bb0685f77d29128c8c6ce4c795c25450416e5

SHA256
bff98b6417a7d9cf8b7e0583ac9e48196e36d6da02617d39f018ae4314ef6cca

SHA512
1340c979cb23c2e4a7df1f1824ab5e41b4decd7830fcd8924819cf919c2f0f71855fa952d50f3e29d779220dd534fe8e7081e19aa7f5543c350d38ccf6be2f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
78fa0b39b290c90a2df6f01b9536adfa

SHA1
7b9f5759b87ee32c7907bf43570e7b077301a73b

SHA256
e2437d024ad31d40dfb372a0b80933361a7df4ec044bf0ea3c47dc70d66064d2

SHA512
c56b1801e7bd35550b24aed6e0fef833ea3a38d17f398afcf20ecd3ba21665fa0e050745903382c0790493cc85335fad5c4a6afaf3e48d924510b3232cd46730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
713B

MD5
8a51bc3c48a46f8605d192f4cb1114c6

SHA1
9a3adaf5347fa0e4b0df195e3409b0e0c76cb37d

SHA256
06aeaf36949322b53e8f89cb37191be9387d4f769113fa9417d54af4cfda877e

SHA512
c163d2ad9d1ee7559ddc10e3c51dc437fe7b4ebbde71508ef3c61f99bff3a97602ab41faf4dcd446d9d3d1dd4c2f0005f5c46f435c11e7cd76c246909389edec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33e23f1eb7bc32253b04ef30e8f00621

SHA1
35d3a82daa8e9a536da900531899b4ef30f40c0b

SHA256
7cdd98249e2d68d00b1cfdfca18820cda401ce5354716dbab7bc86cf8e5253b3

SHA512
8c139fbf64c19da92e80ec4c68eac7d4b93381a22f400bca3bd1f0d042f22ba22202ab4100c2bd19e478ee1b04b50b6fbca12a6781450a314ba2fbc80da69e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc7c60744b6ebcfcb3257598c528edc1

SHA1
62c29dac2899c16385d6136ea6dd8e4e76fda8e2

SHA256
41873ea75324fd4a1fbaf104b49e75a3afae406b56e10ed9762651117dd77be7

SHA512
dbbb781e0187fc9c38a10672c6dd348d9f224124d8509295fdd0187a4d8175331bdf99dba89d4e5330a93d76bfaad7158122a00ba8d478ee4bd105c717dc2fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5aacbb24c55db91ffe48ada37e97f91a

SHA1
c0de5000298caa2073c104370a218736980d6ac6

SHA256
e856fdf5f074243e25640a9ab842fc17d28abf45a6d3e55e7fe828fac98888bc

SHA512
77bcf98b6b555f2e17ab7263ae4d73a2e21251cb6691e3cf71f7944e5c2175f8b2545e3cbd437098b87f8b4e3a2719960d245ed6e8e1e99dc57002e50d79513a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b6bb5f5240c1a437f8d98866dc19f8c

SHA1
842536f002045ee7ce995600cccadaf1b96313b8

SHA256
d12b8fa3e4d3268ad24b384518f3bb032bb8359e3d8fd9a12194ad84451b7b01

SHA512
c09651cdcee24623b078e1b06883a33d7f838cf7e6020e7980aa49b3fe5f908f01719ec63c8e0d37a8c307c3cf0435f54beaeae468f67f759a007e5c9609fd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6246b5fb43944fca805804669cb2479e

SHA1
f231a8d356593b59ce310b655334f99f2f237e60

SHA256
f7f2248e81f08363f34b9de9b3e19cae14bd07fbf329943c99098df9df4d9a1d

SHA512
1051e51f603147c5c6e75149d976e04de2449ab6066274e6d743bc8398fc559f58d6710bf34e00d6f4d00e95e76a06384cd3fa5be77c6fc240e8786d869d0e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8e2cab456be90775c6e4447739da977

SHA1
a422f8218285eff9a8a20ffe39d83fbf9ae404b2

SHA256
5ee34f23e5d88fc196a412103c317279a9985d73071e9a848b5e1a7fa543f45c

SHA512
798e0a0f19de539b9be7cacf2701b302f84074378cbc6630a1054c4ab4001bf82ecd92484b498ffb9c07970b8b7073ae669cfcb0555a6bee16be58c1a91db157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
908bd95ab47d8083275b572e5b4f37c2

SHA1
e07779839b92800a32a7cd76c7dd6d8f3076ae96

SHA256
c34cb6bcc2906921320ef9640ef3b10784708347491079150188adc30ce1b399

SHA512
a8eb3a9562638520866e569351133209254444a981275cdd4aceaac67519e7f1913bff3a47023e94e7bb4df0593c98fb3a73f23282a70e3acbb5c318cd85ab67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
8c0d6616af07f61a695d23555f03afb5

SHA1
4d920d7f35be99217c86ea4dc2396a55e960a537

SHA256
ecc17c289b6a0f4fe10cae7e9eed2413279d3d4354d82fcc9bc672b7bd7493aa

SHA512
f903fe7977d14cc2d021bbf54f103421d0500cbf7b7f3cfd4ba93ae56af294307ec1b7d82c93d1fb530bb132ef4d009aa244ce2a60c23d7748b5ca08e4c7a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3da5afcb91daac9e9a20b26382e28496

SHA1
02007c6377792b2406d5ef4d7431b26987641408

SHA256
4e29dda3536f24ab638dc07b965da9ba31139dfbfaa9792a002294e214fce619

SHA512
9469e92c824e9155896b59f967674c173f151fa5e0d28714543bf550a7e75095d18067ff964c916a6511ac086492023f221ee895c017d1f275be656bed33a1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77485b1ef7efe731ec31649dc89385eb

SHA1
5f04575693ca71dd6e765b8b3b4c8e66a1238686

SHA256
354cb4343a327df7018c0dbeec7e8af76fd131a26de8dbc64ddb8a6b068410b3

SHA512
95e82360983fbc87249702828b45fe7d0b50c8e9b7c0b117a42a984c166b31b9e8771229c374001b4d7f481048fbf2a7a523befff575aaedb391f800b2014353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39c530f92ed3e755f4c4603e7a97b935

SHA1
728a53f0748d4ac8e4ae63074508c36688546036

SHA256
b57a24b1e3230a5d24ab80a21fde450f433d5fecc344cd3378612f1f7f21feb9

SHA512
2961ce9eba5f25e09ae6f281c24be5c646083d5d377e2d34931b26566545817c2e2cdf7accd3460f439707fc4b25da7e2be15a32133d8c47618bb0b9815cdd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5948b6ec8864be1f6ff45198d4fafb98

SHA1
77b0c8db1bb7bd8d2abc95f5389ce87c4832173a

SHA256
706668968820785c566e783558ee322ab26ac19cf968f3b7e29e1c8635eaa0b9

SHA512
743b48879c6eaaa9a8219e6797edea233a52ef1b66f80d7434c7b9dccb9e7063a02598ad3f3f5f01accf54c29941413ea28dcff3efd4354054835b4045a810c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
99e36e25298b1ee4aabf6a2ace449c12

SHA1
d8efaa3cb817f2fca89d0bd2bc811ad8fb06934d

SHA256
6f7dd007a59d0ee872361d85fb98eceed75c89e91edd92c6b7b53b73bef2388b

SHA512
23e2e8ddb2525b791cc5f1cb96795f7ba951b59d5d0cdcf5c90a873f6856a146393f47c0d37f3b6e3c2913da4663ea8f533a2d1dde939b22560ee0c850956fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bc85333225b63bb96506b8f7008cfd4d

SHA1
f787f287291efa7c88262b81b2beb3ba135b9a48

SHA256
827f3a315625dccca49833bd709b0d58a0e2b9f2790c85e57857c119d739e526

SHA512
68ec24b41d9e6f5b6da90bb6b075c379272ada64626c7924eb682136eba5871719820744eae1ca63f475823dc2e942b0aaa99c2e6f78d65d8adce6d5a121d4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
951e8dcd65f7e6695f31c6d41872afb2

SHA1
39f7ab5c424ff8ee17dd9002525b5561f484d162

SHA256
4ada791871d6ac982792bc3941de06e6dd4294c885961487bce3db119d230559

SHA512
5172c69685defa77fc0e30f67a7fd08fe46449727837460257fe0b83ca0733e49d74c93d9cfd9af3fb7c38ac2d7d6861ab171bfc003e3592ccbe12137fe3ef6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1f4.TMP

Filesize
203B

MD5
5411a293600726ec0130c23790bd57dd

SHA1
1a6fbeddfcaa137b4c2b11e0fb6efd2a64366041

SHA256
e80a7f6c7232b23a63765f2b9e680ea742b10548b77e94145d8d24182f88a3cd

SHA512
310d621d6d3e66f323bc05bc6559ee7bee72199cf7479c5cf735afe4755e1314b7575306bf795aa7a865684ad96a6c042528eef4fdd1db85d3e34e6af9b05ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2578f53abfec3da1a366cf89feed1c0a

SHA1
73c729668215009cf6cdf6ef6e7682b73fea18c0

SHA256
42d8b3fd9d621036d3c2f0a4d296d073a5d29b23c8807f42e522176adb2e6af9

SHA512
eed145c228a678b5470eec55f300faa167a6ca5ffe0d26ed845041cc9c4ef70f3337db6dc2347be105fb30afd598d285791048d2edba6e2c28b869d687693a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f0dc2d32bacb9b0713130e648a4b1e8

SHA1
2d3616c79f2b101f7afbc6760b5b63c1e1f9e1d0

SHA256
43418f29efa2e71db60c2d24d70db29f370ed0ff82fe2d45aee80a916c661bc7

SHA512
8b12b409a72d94b9707b145978e5fa259490db735d11907ccaa428271b4e2005b82e35179c47a5c93d1483877f813330a9bc6c0e58bfd432d6671c7b6e8f9e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b65403675b724dc27292f4cd949e4afc

SHA1
08f9c1a1debf8a8f1628da0c22d74aaa3537dc9c

SHA256
36dd725652d8aaa4bb200b4cac82037813e3fa8f596de3cd9905d94b0c314783

SHA512
e28a98e67cdb345579505a57e80fe4c8db66aa44ea7139f4e442007ee59c4651a3c2ef583972637cbaf21b41f908680c2e0a1bee6d8ce2fa0192042dd27f1edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c248809fab11659faf0be6745719ae98

SHA1
0621ad88c5e1fef50f6a6f555ccd49a7c8030ae9

SHA256
bee1eed48ccc2732628eb3b480ba404f229724e00bd7a4a08bfb0b8238e80367

SHA512
6864ebd45b64fa8d4f3a0b7dd9a5bb56f1dca4ce64efa4341e959d76dc43fcc55ca4243ddab2fecc4d72a4a17b5eb9717f3e68fde192080673483aa7c2e04da4

Download Submit
C:\Users\Admin\Downloads\000.zip

Filesize
119KB

MD5
f5d73448dbe1ec4f9a8ec187f216d9e5

SHA1
6f76561bd09833c75ae8f0035dcb2bc87709e2e5

SHA256
d66c4c08833f9e8af486af44f879a0a5fb3113110874cc04bd53ee6351c92064

SHA512
edbdc1d3df9094c4e7c962f479bb06cdc23555641eeb816b17a8a5d3f4d98f4d1d10299fd2f9152d30e3fa9e5b12c881fd524e75612e934b287109492ee1520b

Download Submit
C:\Users\Admin\Downloads\000.zip:Zone.Identifier

Filesize
578B

MD5
500568569bc3a9be03ac8232d8dd336f

SHA1
289bdd71e7d209daf2ffbf13da83cd158ae0a270

SHA256
85c7087b292567747f19d62f2ca141a8669b671a412f7ad05ab71dd6ba68bdff

SHA512
09689187cb0571ebdb25d54b2833c55cbad243b4d9e79fde358789bdda063a6e991303037172f4d56d1af2ff6571d3ad316cc6dc200dd50022deb3df9172119f

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier

Filesize
652B

MD5
adb166ddcd5b4696a3283e7dce6d67d3

SHA1
7a1b1a6278eb62f884e24074ad6617fc12afef7b

SHA256
3880794233638cd13da579079af5551a97d84f925112184c85dc8b85de757c7d

SHA512
9e6152a2f90f1381ef01afaf9b1521e0e78786a799fb2e4f9dfe1599e8a80e169ff3bc016052a6b28652b1a9f7a277994a3faa17eeff2b59956fb22bb19dfed5

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 197543.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier

Filesize
653B

MD5
ca17631a8bc25263d5b13c64516d95ac

SHA1
89984f60a1ea815329a762333db14ce2cef3c09f

SHA256
46bcdd7b0125f4ffbff89db54db92e5528c1d5b36d9970f9eca676c7e97a2379

SHA512
813e7be0044b4383b17d3c44982ec02966b61e85c4b354c17d2464185f80f5c98931e6302028c5ae8d14f5b4434023408b159f6799851364542945cc6ae4395c

Download Submit
C:\Users\Public\Desktop\ᝌᐩᓞࡿ⩍ޥᤈᓡ੣⽶ᙬ⹓ⳑෘⓆᆯিۗᏺᮇㄥܘ⠄←

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/1940-1352-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1940-1539-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads