hxxp://noescape[.]exe

Resubmissions

17-12-2024 02:08

241217-ck2hmaxrgk 10

16-12-2024 01:58

16-12-2024 01:44

16-12-2024 01:41

16-12-2024 01:28

16-12-2024 01:13

15-12-2024 20:09

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://noescape.exe

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
2652	msedge.exe
2652	msedge.exe
1592	msedge.exe
1592	msedge.exe
2944	identity_helper.exe
2944	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2728	2652	msedge.exe	77
PID 2652 wrote to memory of 2728	2652	msedge.exe	77
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 948	2652	msedge.exe	78
PID 2652 wrote to memory of 3856	2652	msedge.exe	79
PID 2652 wrote to memory of 3856	2652	msedge.exe	79
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80
PID 2652 wrote to memory of 4248	2652	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://noescape.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffbc3933cb8,0x7ffbc3933cc8,0x7ffbc3933cd8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,111562719320004968,17459028852436325208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
574d76cd5c2a8a941f7d2da72e274468

SHA1
30eccbd627e828680b3a83c30a8253b045812a33

SHA256
11611cf7893fba742a5f8a6ec45b3f0442504eb76c029ad352fadad9399429e3

SHA512
f946f4dcee319da436ebf10b0d2dfb8d3166cfd6a9734a39514a10474cd92e1b67e4cd9cb947fa5da77acbe1533002fdea666237ffc3ba307dde1a0a5d137475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fad46bcfb13b792be9a43f7f56dd42ce

SHA1
aba6a537fd8c72351ca3cee60a6d89788d85a770

SHA256
479554971763e06a77e7cfa8ce46f88fa9651f6974b590116b90bfb4609f5f2c

SHA512
fd7950b1f99a0e098caad8c6c34dba36f7c6c9b0abc3b0bcb84b6922bd18d576c2ee5fb63c3948f965ad43e497b3fa5b1d32c49cac5b75bba8e75515e4192700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
52e6fe84807712ea01526ce48cc9391d

SHA1
b5076f1527e86d040077e63ee2d36733e81a90ba

SHA256
90b04620ec723932965870a3f298351c28841bb56d3c77930ada7031a4482fb9

SHA512
d7e8ed8a68750cf7d5d0c56aa27c09c39e3f865e5db24cab382c658c1e7ae3d59887d51916afcf890dac85a17c4ac533ab3a1a6e5dcb3024bfecdb2408da5577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0f41cfe519c4633b0106cd198755c02e

SHA1
0516b5ff7213c16b861c2070724e5cffd5289450

SHA256
befe425fe41198cc3713f1fb37788fd455848bcfc8464d84b8d6772626469e09

SHA512
75d5231b00febf8ef5562cd1e023e3cde57d5f3070387a87cca5fbac150f196013ff5c9745480c302355690f6a4f1b90d3694074f8abdd147e2b740ba657e9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6267d31881eb427192dc2180754266bd

SHA1
4215292c7fc51a040ccaeaa81a1402508cf61ce6

SHA256
167d9b4fe1a635b0a72312aea17c5538d7f26e6e5812e781146f32a212d09e03

SHA512
ce73d9135594dd36bb1087c4dd9fdf539cc113311b6c2b3cc5c6fa3fa8eafe9ae505e49886027a51747770ca6606c29193df1448865a5b08d44c2ff852bb3427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2654e2154bad6a993f1d6ff2f5b8800d

SHA1
07081b986cc71661bf87bc0994a055eabaafa9b3

SHA256
a6c0430b6f5b3cb0af4f8e1eb9c35a8c35f933ad01690c35276169c46181a81b

SHA512
d650d263c0131e168ca3930010285caee8c9fdc1eb742ec504aee0dba03151953ec4bede3e2ee139ef0ece6fa29f668e86b1df6cc6ce6b727f59f204d1f259f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
767f17fec04c04f5dfb572e33a642af7

SHA1
b3529a464bf8d2feb17bde23495fd0cf565791b3

SHA256
24d70a7442f5f08eeea948c096a8a6e54f634e83803906bb9fa4091906a190f5

SHA512
57b11c66201c0e92991178650947614c95baaadfdc0617477d48536e29675e520001d7c75ee24de903e815f33352105fea2f8c7ce910aed6c99dad24b0525e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b0af7d61a8fd63d4e7581b8a91ee475b

SHA1
7b2a802844f1f36004b3ccb2793373f7fc5af8cd

SHA256
0f955cb88a9eb28cf1a2190e7af6ef854a33d067591fde963105942b1e8854e3

SHA512
4c94690882b76b96b785ae492c3f050f7dafb804c7605595192899b954475f4c8f2d415a167f19a5506637269e34daee8dca25ec88e25d80a4e0a1a58f582646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3093e584a670c2c5b3739c628a5364bd

SHA1
df9b92dd0fd2d920a98df1d1007e3fbeadb5f22b

SHA256
9715b7480ea977483a3336b67045741c764bfb37dbe4acdbf3208322e1b1567d

SHA512
c6cfcadd911943323ab807ece78f380e70831f7db4130cf10e7170f67688b1c3f47d512ca1fdba0a4d8391869d36f60663a6499fe20e9d420ea9e900df6b28ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08417ff1b48776522b9ecbc0a341738c

SHA1
9f346746aabc6babaef701d6eaaaebdf4d15308e

SHA256
3f5061bf3ae60c274eaf26e9bf0a552192f4d066f1dd71ce11bea2321f013e10

SHA512
989542a88666dc89e29f68f8897fd65e2423f3ce2c35c5f0ba907f4b3e8f56314bef28491943a00937c8fe1a2ce7f1db18df2700bcdd04ee9aeaa39265955793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6133d316103f07608c53c3a4fd6509f7

SHA1
94dd645e823da4c8e89ae90afedb02bc9e24da8c

SHA256
52a57f4292c8b27160f18b3b901cd53950eb3edb815a1b39de880ae4677807b3

SHA512
64d5c7e60f9ed169092d715edb85baeea75276f9f525e439fd265612ee65172db5df5f0f8c0f6fac3fcfe57df08d70bd1448b05e267b7cb3167c72572429b69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
032ccd2ea84fab19c02880450cc01737

SHA1
5e76b5b667dcdc407e7f1a0a6efec5583cd75eeb

SHA256
a564c23ef63a0a64ebb2610c47b203178fcde47923e02e9b9ea65213bcb067bc

SHA512
b28ad2fabe0b202776b969b3d46797aaf7b8f035ad11cf2d29f24c92b07219fac6bcd61a8f4e461a16f043aad871d157638e6c81e7b081c6814cac37aa14222b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86152d38691e8da26c5cd33443cf86d2

SHA1
67390346ca0f679c520261b2b0aabf54d1a3291a

SHA256
24cbb5066f5fbc0e5dad5233a15633025065defa97f91e09d28eb9d44327f442

SHA512
3695cf23d1af645d29b5c220b4b0380bbf86c6bef9701403c54fef88a665f850e7925b0ba4eebd9c8a136fb8d733ab2071bc5386967801c57688006fd5dd7733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
627524899ce413ccc87705a850ccd1e1

SHA1
6261f82822abd400156c8595583a1592f081e3fe

SHA256
61b01cff48f0faccd68f94a0e425707cd2228098bb9ef60c80d952664a6cf809

SHA512
6447216020d0704a9c8c1928504ac464ed3668b4e529cef4f249e39209bec514d45665052d11700d542c00844058aac37cb150a9303b93a3a2973902f5ab9b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583eba.TMP

Filesize
1KB

MD5
d9461b453fef9172f819e9688deb3e08

SHA1
885322f8cfbb2d2c3c7eba8e8b00c116ab73102b

SHA256
2000f247df82fca9ba34fc0c3c5dafaf255e1a663ce3e4c1e075f4e033b8faf1

SHA512
640cf1bfb2b37d206d70922b0b21c3ee7d2c26e2a37c20b2cd554580dfab92feec2ff4769922c8e27cb481f3df5298505b90b04d474cee97e1a8932767a98c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8889d27a741529a633fe37dd503f95e

SHA1
f54af8788a9bf4718a372561d1fd4653611b3a75

SHA256
144df34ce5e1e00be8aa08e2adf9783e73e02e10a092b8956feb8bc2ce1a5816

SHA512
ba959cfe66902ddad9456ef6334028556d0f6735683304567f7a9405066681bd4fb2e00caf1948c430f3f4b30c9d8f2baf5064476f7ec452db515de65baee7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
405e2f687e631abfb22682db43d1da3d

SHA1
58dbf7a481f59ef0290aa676c31ccb5c29edbf2e

SHA256
a77cadd5e61cae1077aa1a46a6a69b09cc1379659957df9177c652efb43c6e1a

SHA512
9e29cb39c84f9e4f201a0465612c5d657e7ea857575209a4fad6764ed98e99876867d2304860db52db2f8d32e273510cdb01ea738d0de5255caaa0e64d6a94cf

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip

Filesize
12KB

MD5
8ce8fc61248ec439225bdd3a71ad4be9

SHA1
881d4c3f400b74fdde172df440a2eddb22eb90f6

SHA256
15ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5

SHA512
fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9

Download Submit
C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier

Filesize
614B

MD5
33669d07af795a2fc86fc54eae4da73a

SHA1
42b0a8965b83376b4f2cd3f85059cd7baf3927d7

SHA256
533057b1d0bf2f686fe289c08068d0e85cdc6a76650891cc1354022b6e589dc1

SHA512
062aaf7a96bd2581b9511bdd994782b5f17cf78c2993d4c727b7d9f6d905254a82e600ed004719623bf72dd77086cb746a494d8ada2fa649f8aca7a6f24aa9f7

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar

Filesize
17KB

MD5
352c9d71fa5ab9e8771ce9e1937d88e9

SHA1
7ef6ee09896dd5867cff056c58b889bb33706913

SHA256
3d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61

SHA512
6c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23

Download Submit
C:\Users\Admin\Downloads\memz.by.iTzDrK_.rar:Zone.Identifier

Filesize
615B

MD5
8999ec4581907d0d4e5e2346e7f60d8a

SHA1
4feb897b71c3ce421549306168a20bbc372ece9b

SHA256
947fbc7f4f572e9844d9d30fb7db2894dddd4ca0967d229c9de5a4d11d8aa726

SHA512
ded149f6b5b4797f17537893a425dbb4724e8d46044ce499cc6c3705aec8ed63dff69669a27e929388766424d0a4a4d0edd43e64e82ed2b0e1b6aa7e30eff6b7

Download Submit