bd648f110762d86514ad03d8ee22282bb12da408c7be77cc6cfafb052af603ef

Resubmissions

02-04-2023 17:46

230402-wcr4rsah9v 10

02-04-2023 17:43

230402-wat6caah8x 6

Analysis

max time kernel
210s
max time network
212s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 17:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

hbhb.jpg
Size

8KB
MD5

a98b0114fd7aa9bacbcf5382de1586cd
SHA1

fabf484b85c0ef3396da3df2dd074c4c01c708fa
SHA256

bd648f110762d86514ad03d8ee22282bb12da408c7be77cc6cfafb052af603ef
SHA512

cfb24a77aaccdfd115b254a45415e8e4d16fb60b80c7bb28310481191bbd7de37f091ab2a8e86b08ccb99f2330545b69dcc763f9ae74a18ea2d65f97ed5c8039
SSDEEP

192:rC+B1oh/+lpiZUtULR3J6ZFAYpx1LqPzbM4vn6HznSPklb:rC+B1oh2v5tUBMZ1xxqPc4P6HznSPklb

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ras\SSTPProxy\ProxyConfig.xml	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133249312382258331"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
932	chrome.exe
932	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: 33	4424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4424	AUDIODG.EXE
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeCreatePagefilePrivilege	2600	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4444	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4996	2600	chrome.exe	69
PID 2600 wrote to memory of 4996	2600	chrome.exe	69
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 1372	2600	chrome.exe	71
PID 2600 wrote to memory of 2724	2600	chrome.exe	73
PID 2600 wrote to memory of 2724	2600	chrome.exe	73
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72
PID 2600 wrote to memory of 4712	2600	chrome.exe	72

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hbhb.jpg
1⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8b8e89758,0x7ff8b8e89768,0x7ff8b8e89778
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4832
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff75c597688,0x7ff75c597698,0x7ff75c5976a8
    3⤵
    PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4552 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5284 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5480 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5500 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3304 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5700 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5016 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5976 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=816 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5756 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2568 --field-trial-handle=1756,i,15335811329187357325,14168470231526972618,131072 /prefetch:1
  2⤵
  PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:1876

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2520

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
- Drops file in System32 directory
PID:1792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3856

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:2556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:3004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
50KB

MD5
40333c9d07daab8ba8a53f73ee3f974e

SHA1
36c2b17a7c48fc28036534f445b79fca9658f0a4

SHA256
998313664fbeab2403238a77e6c50a4541d20805b30533f67de1a12c624fee54

SHA512
4a893bf97a02f88a3ea7830b5f72eb56295566a2c6ceafa33fd80f74f81edadbb4172f71c0e12e4a06b1e927f9d7b0cc62c5ba070cd50f3f25c8b670a1270de4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
612KB

MD5
a583b39f19252d5e929044138520b689

SHA1
51fc5bbd8694b72756de25fc60f13151d132ef01

SHA256
0123ffed642c61e4754dc6b590a20af667dc7d0b4262335c8b4c46e562ad3823

SHA512
434f70f7361014f9d2f87de0c29a2c2d1cd240333e99a4a61722404534783210575594c4ab996ec60d682157ffd5b2b87278cfdc9a2fbaf08213c42f1f1e1a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020

Filesize
35KB

MD5
fbf149f3cc52c0e994c22360da1fdc3c

SHA1
71c4a5d6a47d01dcb40c659951b5ce38faf1fef0

SHA256
53e46cc83cf44a5dce1b018be9011952eb7714f2949757cfa2e3efde44112dd0

SHA512
9046410e4bc370c68e98c5c00875469bf667cec7bfb14046df5a8547be292153d3621da4f1bc4ed583b044f739a3e56dd9f0fc70bd79196568aca2949501d1e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c

Filesize
107KB

MD5
f7d0caf37d196733802d70ffde7306b0

SHA1
29c3b2044acbe4ecd75557563fa647ca5ca953db

SHA256
108dfb988d1c7838a44fafca3abc98945e7fc45a8c471d382b4450093b0d6045

SHA512
84dd29afcf0d540af969de55639b4329f57eac29ce6a541fae5dcc1090f4fc6403e574fc1182dbfc3063c4b6bc3147c26ec623026e56b970d301009fcbc738cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bfeefb07f426e2b54e1a03ca7e1705e2

SHA1
dda61431b4d9d6f6a83d690fa0a431ebc35809ea

SHA256
1f946409691d06dd78b25c69d3db6b48b2438358dc0c32a6c23ea84a910f9a43

SHA512
18b88eb41d03f24284e4a3431f9f07244c32ffc499b31029f7ce805fc09fa769c73573599f4c449bc00e87380c63f41bf7ca58a85fff168b8da1c017446c7a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
10cebeb8f9e9522c92746d0116a527b3

SHA1
0936a5acc2ca855f2c3a8fcc63bdb93c7d4d572c

SHA256
f33b695144f422358a20389a355cc84d99425d50d2dde08ab807c8b1180d3d1f

SHA512
c81d88dfe6e0f186a265e388119d30613191f5851af29b6176a1dfa82263e4e7dcc9ceb82ffb6535ca5b08f2a1deb0ebc4fe3837709ae49b01540d4e23960d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
44ffa1f2e7c90dd6b1fb0c2e5b3cebf7

SHA1
c71d72adf8229e95ade70afb24f39d760bc54eed

SHA256
05a7e942c5db77bb50d5e12aaf3151600020a3b80ca49621459e74bf0105984f

SHA512
06a7d6306dad22b0fefefb1ebfa2cf3660a1f12d2901669934818ea8776d9e52c36b3e7f287f94a13f77766a06254543985a2593e383c282c4f056f0a940c109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
5985ba04fef6a3b09c009971ef9df360

SHA1
94a5902882d4d321e7406a466c35cd7cfedee2e8

SHA256
7b4ace2529a131b6382b4e6e7e207be772a21d02049b193f44b8c756cbc5a861

SHA512
63b87255086414a0b8dbf778813bfaca07486430e6462dc3d3f8e4190da29d9937bdff80a338be56b11e7bdab31f3b08ff5ab196d23040bda1dff3227f5be353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
24384c4f13184676445abacdf0b89871

SHA1
2bd0ddc2bf11bf0bcba910c05235aa1f21a78257

SHA256
dfaa8c001d040c594500d488b530ab26a2f84f44ad535a3dd231c57340cbe477

SHA512
38459ec69ac5c45e0f4cd0ef9fbb8098eaf01e86ccf24e3a95dbf1d31abe29efcb8b86385720578111f78d8b772a11df1935cf38766119a79189c09149cd0400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
864B

MD5
47c94359111e6399ca096e2b2034423e

SHA1
a3977d8e9d3f6a4b482fddf286d172ede34ff445

SHA256
6724a1abad189a5ebad0ee7d7cc54a2618d3770f2c0638bd870a01cd2e064ba1

SHA512
72e09254afca23ca02a52d0b435fb1d851ce9a2561163f3e8bd595c54a29043efd67105557307ac5b917f45583c8ffda5c12f78df699a883b488f439b6c95837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6d819c4e2f3a16214c2a41eb7f2303c9

SHA1
0870a1829f3bfb805e5dfdfc79771fff2523e7b1

SHA256
5dcd17afe4290ae95bac17deac988a25ba6cf5f4371f1d843b80106488109e9d

SHA512
3ce3b59fefa2aed5f906f12014dfc19a78c92401a6f26f547c148bf46131f51b7469d1e5fa3023ec2e9dcbfbf5dae8056c44a79806bf26238d08d3285f92411e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
534B

MD5
996d56f8c66e505bbfd22a4e9ebae616

SHA1
5358ee67d740308b5f45a7908baab04436cd33b9

SHA256
1a151ce609002aa2717ccac8f048b9998a30c0521239faac5069ae915237d982

SHA512
cf03293e098905363a249aedbd6845eabd931b2e385c40d916facd7efedca9ad73337be6b677647d32f61de0c1a8ddf1380791fe7190cff586542c8aaf447c0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
97e0157077f0ce968cc6e1af7295c031

SHA1
84d277df104fe14fed85819d8c31d869dd624b9f

SHA256
129d68dbc5721abad1ac7facac0c0a912344987de0d1224fb3769c711d74043c

SHA512
1eb1238ba223180afa32a8eaf98ac34f0253c081404da96a19c2ccd028d11e02fb4b492a19e393aed4dd8327ba525bf19b7ab14df12aedb946e29864292cffa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a97c73ea49f338351973a83137c1ba03

SHA1
f4a0e79d37a5a56daaf3792f6e4074c0dde766c6

SHA256
00313e1a3fab0afc2d1a1eea73afdcb64a624f7b148d872e9855c1831c915f29

SHA512
8551008702150afae19a4aade170a52be8cb2d3683dc710bc7a4bbeb2da70d45f90249066c96cdf320e739b3d09be4a282f44e965b1495bbb76bfaedab51560b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5c3db1338c284236e9495d4d1ab08422

SHA1
03356029af9180a77a841e701141a90de6dfd7cb

SHA256
7971fafc87d7455322b39d45db79de8120485db645099c6382f2a12b0949a771

SHA512
c2c4dad7719941c5f6b05711a0afdc7279927dc60329e668e587801cf52d6e17af2793db5dced08824e65e3e10cca7a75481cc5415c675859aacd86537221cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6eba521eb29fece8e33aa9012b2021fa

SHA1
a5a0af21dd24e75f3cdb7b99d1faf7c2a304b02f

SHA256
c186ee64cde21e44195b97173aff7737381c1f8ad42c4008682bab3cf14d1c1b

SHA512
ebf5956873c138922923e18964ca13e9eddd61748e519cb9160ceda70542974b0b3826a4f4b4f85a5a7d03098146193a3c235fc8a70bbca1e0285a98d3decd39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
446add7b458eae050479346f72f78b1b

SHA1
529311be181341190fdb3a7256a4b8d10461ba15

SHA256
2aca03d9bfe32495bd8d4da1399fb8845df6a2c3a67e174e7083390e9f64a1d2

SHA512
5c335f9d7a167eefe04ee32c1a8464fff3431af687f40f214f34161e0a43f08d035fdb344fedc4dd4f194803073b472c4d8b78c45bbc40d55ce9fb878793a5e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a26dea43dbdd3c372fb800a1f6c43834

SHA1
c4770473d3243fa831887ab6d630ec78188e97cb

SHA256
2654ff1a7a1a987f0b4d583e7189ed364d5e0d9ac2c8b9fb6244dbb24f0f4963

SHA512
64d2496cf51012fe44e59df5e6518c0e45feacc4aeded7dc2ccff2fd5695ac8a073aa5236b48a96bb15b17d53b07d04970749b1f0258d94807efaf1fb1df9b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a8a82906e09e588b37f47f5eb80b1777

SHA1
0e72ce2c8a5fe94644fa66739cda18fdc88f5092

SHA256
f331c511f510a907f0eda5e9e4510404520a27c2261f4dc9b10b20feacb30853

SHA512
c91a4a353813a02c14bab214fd863642ab6a490dc44160d1a5d10b198e79614b825d510afc9f11432922c6381550f7d6fd5ea54e25f8cc93efda0648d0a8472f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ce5ca90cf2fccbb456f06cb85ca30a8

SHA1
73eda38317af1a2cd2b69482d7e8c62487ea2630

SHA256
5b9ce2ca63e5f576ac62668174816b259a1e12819a3206f52a772cc56fdb8fe5

SHA512
9b48cd44a6d344b25a3a72e09b992f9d402ef594ccc22f6378619818a5a2515b8fd8cd74418be83c2f6189348710c311781fab20f9607bcb6c8f27568f33299b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
650157588fe56db305670eebe6d7d957

SHA1
271d68267f684711bd7e77de2b90a5c787ec9212

SHA256
8aa4f67c9f109f921f497ab9598e957be17a3bbf9f95e8daab1abd25e012941b

SHA512
0b04cdd44cc9385f0c6e9915fceb4e0253ffbf2cb3516a1bd82b64e2854ba134732a63cbfe53e8dc9a49ae7893aae3349ad347b2a9e15ef3fbc65f564cbaccb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
383668487d8f4f19717a8103fd91e4b7

SHA1
8b76ce99f4b0cd70eb22d50819bfb0f979862fd1

SHA256
697eaea51e2ea8c822fd4b37f0386d610602acc427d515b5d15df0a900996e1b

SHA512
a50a2fa9f3efbcf5e9ab9c830d20cd1b2f0b297ad1ed87d556be5ab365ee454cc1306ee35189b8516271d48b90cfaf105e63be1674355028244c7ca67fa8b23d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\51dde030-af5b-4e3e-a9c9-b9faad36fc14\index-dir\the-real-index

Filesize
624B

MD5
32473f5fa9c9fd3b3ad368885ba7da66

SHA1
88a699194de7c6cf8d7bdd0632ca799978caf356

SHA256
29c4831520fab8d90513abd53ec9af80ef1f6a13c1e7ec5d883f9c6933a98a39

SHA512
5738ab8e828074e826e1fdd9fd8449475762adabf443b8c6800203feb0964db2260a32d59c928da5b72e3fdc3dda95e1a58ddadffe011eb8d41b0fcf8e1ddcc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\51dde030-af5b-4e3e-a9c9-b9faad36fc14\index-dir\the-real-index~RFe5785ba.TMP

Filesize
48B

MD5
0f62bed9b46a5899f74c6ae94530b40e

SHA1
9612a7ff2ffe413d018bc51e7db939ac510ff727

SHA256
60a0dccfec87433607ed5275a7cd851d27d45e13cf4cebcee48df459770b4c47

SHA512
d241dda4ee09563b8354efd93a48d7b6c19ad0bdbc38ce04c0b00da4471363c50cbe0a3a7a10f8e87f550f6dfa067dfb5effd505f1aa4b63e416e87cfd139835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bcfbf633-ff50-406f-9bfa-fb40871a4b8f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
129B

MD5
4b4892430bec46c2399442db03e194c0

SHA1
249166ab02560a62c80eda9d6b0853756b7d20eb

SHA256
b60f14102692b6c1eb4aa88e22ea28922e77ae03e941c2c605923389397a1562

SHA512
6fc4dac4deff807d2871d0e55d58917e7565705a8830aa13e0f1aa7187197e053b13a5f4a9742a8fc65a07cdc2dcd64a01d88dc5ef81dec8ce9ed8621cde9d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
84c84ca176b66d3628a5b1bc415ace3b

SHA1
f342db01c7cc9d8a077900805a0705e8d56f51bb

SHA256
ab0ccd1311f679e1ff92ccb5b8e0118fc914d84feaa317eea02e18734e93650d

SHA512
d6016abfcb5e5827e6da98d8b3955d17532529b2be7a8da7c9be04891db955b8c8afda19f786e66ce79f9d540bb5bdc12e909d935e32cd44f0ff1d7be8118642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
125B

MD5
f07ecd1779bf6a58463d71d83dccc6cb

SHA1
292a7bde4764b53f38a1d08d35c625672acfc18f

SHA256
c7e4134468eddaf4c826da4f3c9df68495b036ca3fe5ce9e08d04164276f815a

SHA512
4c9dbfe45be6f3e675e410bec6de1bebbd00b4fd37bc8d0ede9018437f75af2f9f10fb2b4bba4e9148d9451b5fda89ef4f8ed6aa66c77346f52179b49059ba70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
189B

MD5
8650b1689727ab5ca4c4df3d4e70889a

SHA1
b7ae463d92049cafca780bf7eca1d4668fd60cac

SHA256
3752cba7b8a5c56d12cd1dbb1ff929d3dd4e00f970adc09e3f713b7d6356e6b8

SHA512
c8d931ac9ba1834c997f08df985413cf5a8382b36b6464f211a358a6981b962e7a93a34996512c9a86b6956f94edfe461dc07fe206ba5930fb715eeb65e988d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
125B

MD5
b98dc68a4b0869a3c106604d05963d6d

SHA1
9cf72ff631c88a60ea079f2926e89376c9258d8d

SHA256
b07fad296f13aaa2a59df25ff974a7bd32caf64cb03394a6365ae235124517d3

SHA512
94db15be3090d6a10f90026925e5e70d0e89ca8ff8d468ff4f57f1f1a8f78014e95b3bb6dc09ebdeca32c72e904a8390b1492ca22048df8e8386266e6deb2aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57086c.TMP

Filesize
120B

MD5
cff7cbc5c2a0424cdb3f3a81eca731a6

SHA1
33d756ef54d2aa2dcac712c26459089e84c3c9d7

SHA256
6545b52f3a13f887acf29972f852cdb6af47e97785adf4f76005eaf43ed52ecd

SHA512
78ff4e90a5572a92e09baa8f09915db6bc2f7b2e011d57b37c1a8b6c27b2c975092f217ca889b74e7e162f4342d060fc4ce2af5113df740b1a85553dd219ba08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
1adbb927cd2740b01ce5ef807d92a974

SHA1
06fab0042520b7f7eb41f798593ee6ee36f479e8

SHA256
244c230620183b9606acb516ae7f667e802da05a5a49382ed53db3b6abd7dd03

SHA512
902ef9817a46427e4d4c419d253ad3243410d12e0fbd3d123d5779e6cdc3cab44f6377c0cb27ac8c40de61a2a23fc9273efe482616244314b4da11d8a40906d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe575a26.TMP

Filesize
48B

MD5
8ac64fd44c81280ea87a64559ee90aff

SHA1
8b9cda5a786fa14ba0c2c449876d9c079df71339

SHA256
08352956daf5fe06b78a4593bb0ad768a395ca2c31f9bf6b418b2010d430be0a

SHA512
3f747d628b2296db294e07daa9338c23c6d663818b4b7075723e082590856143722d781ad48135cee95e90be11fef2bfd06d7ea0a23274eba783c2d709169307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2600_380815387\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
0d7f8f4298512e81479a347a78ba7ec1

SHA1
bc44a49225da9fa27018f21fb91d975a053c10f6

SHA256
2d9a4548221988f6212f438ac8636f3a1bb90b7ff452402772bd4e9fa11d8200

SHA512
604b57cba79f91d67eeecbc4457cde3b33289ff207119ef7223b331592dc7f521739116441a1f1b5511dd84c432468690a04d99ac4ce7986037541d3caedcc09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
1dd211c4aa08475ef84c0994e173d8be

SHA1
0faf4d48ff9c16eb4f0842920e4af75ff0ac354e

SHA256
9cdf6e87135618afc0cbc2af57bb963cc23a3756b7dde5f022bc9452628ad026

SHA512
daa876892c6a4b3e850b66c306e2ea06d8cd103960827ddb37ef02ec59e8a15d1f4ccfcd5b7bc394256ecba2b91e695cca26b45ed911f9dd2c89bc9535cfa959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
1982a4d4a3bd61ad205d0013d4b85b67

SHA1
33fb6b9ba56e780d6861b9457ecdd39a06080ee6

SHA256
624e910dbe6b19a7ff7cb35e5ac1b67fedece10fd1b4d43d946c8776e5b5da29

SHA512
d82ce6372fd34391f42a50fc39a213e13d7490e0276fded4b4c50fea26fa98e48ea6b6dff7e87ce8bb378b8e972abb6a1428dc6650464811ca8b72c764a70edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
42233567a2f235b50719329d3a2e78f5

SHA1
d625772800dcf1bf1ae4e96454fe64e5266c098f

SHA256
2cbd9e104a6c866d56f1feecfa26b585722fbaba35c50476a9791d4297de0562

SHA512
18d48268f016f6614d6a151fb72618f31dcce7d3b1ed04359ee343759f80be828384cde3197935aab3e1366f6aa5e181457512bd87b8fde5412d4582847d0c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
dbe57c06b111aa35ea39ad373f9f25a6

SHA1
03e694e8c7525bf8ab42f29da3eae6d11ceaf2b1

SHA256
8d3369154c8dc210470c7b966b25e6b12f99831d634e629a27171a9fbaad6a55

SHA512
d138016f6b71ddf0efd1ad696ee299aa1362f19d1045ec9bf6b400c3698bfd4550edad625fa46d1d2d5e5319abdbb92cc9e4b539a62d5b7a9542574657861905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57755f.TMP

Filesize
101KB

MD5
2aadea3ce8881c4a9c3856b2a930909b

SHA1
04ca7cf7cbff9986e96dd8c48236140abe3b873a

SHA256
e4de36614729d503166874b04941b2da9238b213a8899a7c42ad70a31a2a5d4f

SHA512
54a78e203c8ec10340d19e04b3a39f652ff176202a89f7107de60f3b398313dfbcf64d2e37339d0391a54bcfb2a724a70a1eea9cb00a47a8d0f7f3cd9f6e5c66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Public\Desktop\ᤷঙ֎୴⪂ゞḳఠ᧔⥡࠳☁ᐹ⻲⑇⒙⺴‰᥯ᧀ⮤ᪧᦆᘈᗬ⯿ۛ❍՗ⶃ⭺ს

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
memory/3004-1134-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3004-1135-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3004-1312-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads