hxxps://github[.]com/Sn8ow/NoEscape[.]exe_Virus/releases/tag/1[.]0[.]0

Resubmissions

10/11/2024, 01:43

241110-b5k6pswldv 3

10/11/2024, 01:25

241110-btcp7awja1 10

Analysis

max time kernel
461s
max time network
464s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
2292	msedge.exe
2292	msedge.exe
2856	identity_helper.exe
2856	identity_helper.exe
3100	msedge.exe
3100	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe
3772	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1200	svchost.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2200	Google Chrome.exe
2200	Google Chrome.exe
2520	Google Chrome.exe
2520	Google Chrome.exe
3992	Google Chrome.exe
3992	Google Chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 940	2292	msedge.exe	83
PID 2292 wrote to memory of 940	2292	msedge.exe	83
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 2112	2292	msedge.exe	84
PID 2292 wrote to memory of 224	2292	msedge.exe	85
PID 2292 wrote to memory of 224	2292	msedge.exe	85
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86
PID 2292 wrote to memory of 532	2292	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12636679140825098302,1011909911902129797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2780

C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe
"C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe
"C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\ecb97ae348604fde9725bcbd80f0ce7d /t 1436 /p 2200
1⤵
PID:1604

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\471574b09066414ba2021cf9716db04c /t 1240 /p 2520
1⤵
PID:5072

C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe
"C:\Users\Admin\Downloads\You-are-an-idiot\Google Chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
441b265ab7cb43d572896ce7b977f55e

SHA1
90654edd03111ebb9109a53cd0ee821f3454908c

SHA256
cb8125732cc076f418f6197f19504c22f046b3d859cc4ee84de5d9a5d5004c3c

SHA512
7498c3b1f64dbfc105c5c85fd3c536a638afd5d41ae6c97b43a829d7a4bee598f7bf5385ff24c96ebf20f627dd621c63f8d4b19d73baf6e68d2a8428702e7939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3bac12efc071fbc4a8453ce5e36d516e

SHA1
d022fe4ba2475f01e54dc77529c58e5f44defa41

SHA256
6b80b3a454720e62b791a11496a5064cb4dea9b49b307a490a765ed1c01e240f

SHA512
b5fa9a870932d604e19f00cc00c80bb80604e6743aaacd8c6d232b831bb2de5c9d433facb6ee14012dd58f75f8e8e5ab67741a20a523c68eef98139aea7776bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8683f1bae2d3076fb0877aeddc6ea1a4

SHA1
4d9058660f0a81fe93cf414c8d756b276daaae91

SHA256
7dec8cbd052143c8b2aa159bff43ff0052664912418d5b5836e37dff192f4c19

SHA512
69c3c34eaef3de79f931c61491a39043a203037e05aad2e2b304f1d1749778a7d072354731b7b7e5615ed44fa48c5626de3953511600336c63c83d3dbd7fc74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
3a1d7b1ed2f7f3ab5065a79dbccca6ed

SHA1
354e3d981dfeb4b31a61bcbaaea2f340503b8645

SHA256
d58ae5293e77aea7d6a2707fe101974377027560fbe4715aa4af7a42e758062f

SHA512
1192fe9084d36b185b1c9dffe9aa6cb3dc3c0b8ef01fceede2467b3d3124ce1932a63f6edf0240733981ba66bf75e43cbf311a928a7a4f2d13b8c882adc4053c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5dc4fde14f4a587f04b3444dfc7b2817

SHA1
bf0be492b6f54fecd21f6a396823648b7f9cefe3

SHA256
83139677ebad9c77bcd5638565a046f240ebd3d6c57117e2fed62c0daf9a0d5b

SHA512
64ccf90fb65d9e8797114bf18c608319e1b71c0ea9b9071fdcff62618f006ee45705e5dcc6045340377f9886e920d241a904cb1395373decc57bdeda550bc0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d1c97be1ed87e2a8027cb1c7892a435d

SHA1
76ab03dcef1b1bd0442664100b03dd2515e704d9

SHA256
70dd32d79563a8b5b765c546a19e2e25acd6e1f087b2e816dfd200ae5be862a1

SHA512
b98383f2e6480d565a68746757af49afd3313c9aecac6b50a07b6cb062e47ac1e0a872f77c039815f230c5360bef5f2b0e7e24d82b37c31c3c2d6ef43ec2539c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
94cfff42fc2570126ab71a5ca6cac48c

SHA1
21d694090e50561d497fb142e4e42df4d3a03a15

SHA256
e0ba6966d90d7d30a29f0164a9f3dc9e13a5d0453c6f81bccefcafb5dea0a58e

SHA512
cf938e155d9fdc05692141efc4a7225a7a840b6ab7f03591347b879ef75fb4499318b9d66214dd7efbfaabd7bc03f66924aebc57e977e417460f88aa0d2164c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5a3dce89f897d61edcf6b8cec44d3c6b

SHA1
e16daed5208a26c0a60c5de317592873564acd83

SHA256
e998aff8aed37ad01aa9ce34e1ee2f58b37087c42d3f3133829fe2fd08154acb

SHA512
b30e115f67a93639c05eb37a894b81e3089f920861455b5e51eb8cc18ce7ead6963f32be7a91ef67a535e125633d27fd21ff09d92d68e4581c08a75befcf7ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19ddfaabd95df8eca704464d0a1efd5c

SHA1
35afaec2db62fec69a2ba30f2aa5898f1e1d174d

SHA256
6bd5bee830d40ebf0c1a8149132641be4346fc8059c47353978bb787323c767e

SHA512
d3268c603ea1f1d40338c7f64a87541500d9fa88503031203623e8fd96e970c6398f6a769027e68dd2949ce200ff2790d774897a30db049529e1ab93ae066438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccf6a5893f6fcd97965be5ac4f2c0d1e

SHA1
6df309410c03cc39a0d8373554758ef8ecaaa20a

SHA256
cbb6aeb8e3814dee63d993b46032728755a18851b02c2bbe071c05bb6bd57fe7

SHA512
bc885ec671c45975455a9a0e5fe965127d6e142440223397836514176459ae8ddaf3a7b68166c97ea9a59a9cfeec8adc80683c4d62647b460d1e26138f013f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2efcb0e3ed832c088048168c593f326

SHA1
12ccefca39d0c7ec9103d9a2fb22af5409b22c71

SHA256
1301768e5ffe5377f144f231e884b50da6091cc296ff33dc9d9ffc4e97191855

SHA512
229c63cf66d1d99e27f771fa9a5f1fae1603389c3417b64afee2742d93d3d58547603423b305bcfa0f61f065adf45b4c14097ac2d1d2836dab98615b80ae9756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ddee3aa2fb43209f9c177633d393241e

SHA1
708c0f8a15547b550c9f8c86333e6b57be5f6541

SHA256
d309702174c5cf4a57288e42de8307b9ab57a6bbab9385965fa384f4b9144c65

SHA512
07617b08cf7219e11f1e8c181436e6c691e8b17ca01b5f47b89ad3e4e5a646f6d39812e89bb03a19fffd691fc31d22b28b89b9e113984a54ccec2520e1465576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f8a25559d4d59ce420aee7365fce137

SHA1
83ab41d1c73290f235681e40560c0639323c4571

SHA256
dfc26d83432f87da629c5c3862bf408046f6870148c23608ecc53ec5c0d9d19e

SHA512
6b3fefbe043dd4c0c6442b7ce6f3cb4185302278be59f2c115cf0811b5dbaa1b2449d8c63a62137d10f2dd7cb30bddf5f1fb16de253c8b2411905782aa29a63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f2a7cd8ed9f561fa0274ec7658ba0ffa

SHA1
2acfbcc0baa4599fde08d55d895fae19bd65d046

SHA256
225ef4021f9d6f7a9057e9b0043851504b00715c2cb6f7099a64715da3cd8161

SHA512
0bfbb72b91b2f16a50eec4f1b1e0ecdf44e9058552ef70fcf265fd33215a9d76edd20f04a51ca6cacb349ad9f710f6e35a75a6ddd56c5e4e49ba547564c64760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7e12130cf5fb8ac23792d17ee25d7dc

SHA1
c24f6d57d741de28a9ac39d5c2a464c8088bd140

SHA256
f45102227ba91958955a7ae2d10768375694532482d41ee3d1b65eec2fb3ba31

SHA512
b3ad24cc50cecbb857ba61b0eddef4c4dad5b4f2a74b40a96eaa93e82de3466cc22dcf0aa17682c87bdadcc04e41c202c99c0955afebaf3fa67d0b149e8de9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5867fc.TMP

Filesize
874B

MD5
ca7183acf147ca965ef591cf7399d285

SHA1
c0ba5a63dd071a01cfa595477056843091876246

SHA256
304561aa0e8f50f53e5ccd19db70250df1bb25d6cd85201dd816b8fcb95aaeb4

SHA512
aab10318fa3280be62b7654a2dff27b9fb823d185a0f0faaadb66ef9513ebe492cde6a3bf3bdff67a0f9d7ebd0f59c3b4880cf51a8409ea2608a3d445fbf0b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e6301d5ee8d29ebf0dcd7ade87c001b

SHA1
7ac5708dd77a2a16091be0e4a038ebec99b9c64f

SHA256
9545aa29d8b84d98e502192d422484ca7580088fafa5ec5b24eef6727c740d91

SHA512
ffd256df04ad4eadc4c43ccb42289bf6e7cd63a35a41b379c6af5ef234ee4d6c4d4f476133e64d897cfafc414b2f28b3a929715b9b43353264e7a4b1e546052c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f43750357f25cbae04bb8fb4043a0d1f

SHA1
1564c555274ab2c818454768dfa9d822b6ace188

SHA256
b9544e4080a05ec9d233a1d66b11c106f35a5bc817912b02bb8326f30f88173a

SHA512
bac608445c016dd632ea05eed3d822128d00c3fc7215d017874ccecc097d6d45e1f8daa77f149b7003164199ef65b51aa220d246332d7b67cffcc05a938dbc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88d31b7ad2ac71b83784ec34a53b4bf1

SHA1
c2d57803e7f582126b402a903b94db6fbfdd3fa4

SHA256
5a096bd42f99044606aac45f3dff6e644c4e8ade3a728c0e2eaa2ddae55fdf09

SHA512
72d057bf7754980e82dca981c217bdba34c67c528103922e24850a2a43341fe72b91ffffb0bafcb99318b497b65b5d079bed7641465a83f88743b0e1e79f3c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4593a92081c12da49ca0a8a32b05bb74

SHA1
2a24bca062123d25264155d23118d377110114e6

SHA256
bc757e6a22740c4b1a5df95bccb83088997896611f6d095e83d6d0fb530292ff

SHA512
1cf3626e8a3cd3b050dee070c44043e134962ad9f44cdc3b2b342fd6844e7e2e61cd40ff9a808ecfaf64259b41c06b77632c948f02278cb5a538932cb817112e

Download Submit
C:\Users\Admin\Downloads\You-are-an-idiot.zip

Filesize
33KB

MD5
4acd75f2bfeb99226a8c9cc721284208

SHA1
4c5fc527d8825952a6f45d4fcbab3bdb074e9713

SHA256
47dca4e070081df4b70053c858a851dbd720845d4ac579eb5e7334a44ffa16c7

SHA512
ba18b878ad12916ae75dd1f5fbee09bbdfef4776d243fa4e9d7b34a113978b529a242c66e868c52cbb0cab4198d0b356e83dc36355f9452e03e7fbd4e0f9f6e0

Download Submit
memory/1200-667-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-672-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-647-0x000002A2A6B80000-0x000002A2A6B90000-memory.dmp

Filesize
64KB

Download
memory/1200-662-0x000002A2AF160000-0x000002A2AF161000-memory.dmp

Filesize
4KB

Download
memory/1200-663-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-664-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-665-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-666-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-698-0x000002A2AF000000-0x000002A2AF001000-memory.dmp

Filesize
4KB

Download
memory/1200-668-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-669-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-670-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-671-0x000002A2AF190000-0x000002A2AF191000-memory.dmp

Filesize
4KB

Download
memory/1200-630-0x000002A2A6A70000-0x000002A2A6A80000-memory.dmp

Filesize
64KB

Download
memory/1200-674-0x000002A2AEDA0000-0x000002A2AEDA1000-memory.dmp

Filesize
4KB

Download
memory/1200-673-0x000002A2AEDB0000-0x000002A2AEDB1000-memory.dmp

Filesize
4KB

Download
memory/1200-676-0x000002A2AEDB0000-0x000002A2AEDB1000-memory.dmp

Filesize
4KB

Download
memory/1200-679-0x000002A2AEDA0000-0x000002A2AEDA1000-memory.dmp

Filesize
4KB

Download
memory/1200-682-0x000002A2AECE0000-0x000002A2AECE1000-memory.dmp

Filesize
4KB

Download
memory/1200-697-0x000002A2AEEF0000-0x000002A2AEEF1000-memory.dmp

Filesize
4KB

Download
memory/1200-694-0x000002A2AEEE0000-0x000002A2AEEE1000-memory.dmp

Filesize
4KB

Download
memory/1200-696-0x000002A2AEEF0000-0x000002A2AEEF1000-memory.dmp

Filesize
4KB

Download
memory/2200-577-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2200-578-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/2200-576-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/2200-575-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download