ef3c2dfbe13aeef9d04bf6faebec26b97d614e52f24c63955bf7d36543253e07

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 20:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FileZilla_3.62.2_win64-setup.exe
Size

11.4MB
MD5

579bb096d23e81d7acea4f09ae1a5f20
SHA1

70d466914d392a0a2c06d8ed62882ec5a71f54bd
SHA256

ef3c2dfbe13aeef9d04bf6faebec26b97d614e52f24c63955bf7d36543253e07
SHA512

9596496e8200bb8d314503ddad973304a48461b8dcb052912d5d068d3877172ee1d57f53556b3807cd6df4c875babf1393f9a2b2bd1c8e6a9d9b37ba971ee656
SSDEEP

196608:jWc8gUVaVHNOSYJ6pbitQaE+mUqbsP47XyRBVKhure3XIY1XssQgooVoo/7kU7Mh:jWcyaVwSq6pbQ3EgPUCzVwuKFXsERooi

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Loads dropped DLL 5 IoCs

Processes:

FileZilla_3.62.2_win64-setup.exe

pid	process
2288	FileZilla_3.62.2_win64-setup.exe
2288	FileZilla_3.62.2_win64-setup.exe
2288	FileZilla_3.62.2_win64-setup.exe
2288	FileZilla_3.62.2_win64-setup.exe
2288	FileZilla_3.62.2_win64-setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoEscape.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

Processes:

NoEscape.exe

description ioc process

File created C:\Windows\winnt32.exe NoEscape.exe
File opened for modification C:\Windows\winnt32.exe NoEscape.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133250336890526808"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{04E515D4-7471-479E-9351-A1A4CEE9AAD1}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

FileZilla_3.62.2_win64-setup.exechrome.exe

pid process

2288 FileZilla_3.62.2_win64-setup.exe
2288 FileZilla_3.62.2_win64-setup.exe
4672 chrome.exe
4672 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe
4672 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe
Token: SeShutdownPrivilege	4672	chrome.exe
Token: SeCreatePagefilePrivilege	4672	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4568 LogonUI.exe

pid	process
4568	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4672 wrote to memory of 3740	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3740	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3492	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3640	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 3640	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe
PID 4672 wrote to memory of 2420	4672	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\FileZilla_3.62.2_win64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.62.2_win64-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffab5449758,0x7ffab5449768,0x7ffab5449778
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:2
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3328 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4560 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4876 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3228 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3336 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=940 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
- Modifies registry class
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5252 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5472 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3360 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1816,i,8447134530957462356,11208608459767352126,131072 /prefetch:8
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1408

C:\Users\Admin\Desktop\NoEscape.exe
"C:\Users\Admin\Desktop\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:4224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa398c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3f60f97b-ef73-4617-8f15-f7dfa4d5294b.tmp
Filesize
7KB

MD5
3d59d5553a89117c702674a455f08d4a

SHA1
a974048737ce1d673c800bb0748e4ef6bd5d57f2

SHA256
6e63e4a958c5f3520fd17e46fdc501d6323c8e12fd5a2f0adeee49010330627d

SHA512
92b22db6c70dd2db59399f6252325b18192a15e7508962334b25f088e3c47bb7dd9915f91018532b436574a551c1700e5d4a04b96710072a91dcae8478ead491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
413196909aba71359734dddf47117c81

SHA1
1963b4bc3606ae6ea7789b5ccdfa41931b4dacd8

SHA256
910e27aaf60b99b7fec013f49b3aba2f60ee0641c77a8f10ded32539944ad3b7

SHA512
29f9fe76f0e31517f7150db49d7f1a5a5f8d1544b48cde0d5904d55426646f3c80111f3a4314169989646ca5824ffc43e7cb3f6926978cf16fa0c83f390131f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7d0a921eea69b4f2f5ddc369478edc24

SHA1
66ec36b9adbf0d5c1a3a133f6583e209f84502f3

SHA256
434db318f5b7b117a82fae64a8c416e5f8902b8f6e1f65b80580f9d938854566

SHA512
d48bb75e0e54208072362d10d5472943ff626efbfda0b4a3c765db5a9050483c715b2d4e875b0973dd00184f57e7da9ceead68615b49f18dd23bd9dcd1fca358

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
c2fdaec76e0a87abba74efc8d1da75ac

SHA1
d51c02f912d80711a48cd63a5b705c0f9d296d56

SHA256
3539a673c18c535225ffc5c6be2f0978f450e8ca424e6967fde7dbcdeff5c006

SHA512
43bef4b7685a3db313cc3810d16f50c3edadb3e538e5539cde30e45ca8e37499c8557c27e47cbeda61f52ae5c1a726f8fef433335c06418e301c0f43c69b093f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
ebd2649e31748fb11311e6f33aeebe5a

SHA1
d51fbd022b194086b6face90eaeb276b4c9efa80

SHA256
3897439890a9f1d5d028ae6c7672d50232960dc502de572c786fd7b277daa4dc

SHA512
1a2252f87fb7c0ef9f6cf865a4e4a7294d436e78e8d8a409edbf97f7a1801d6ba3acd633d0ba0f43621bb0eeb50185e86aea66de95edc52872cb48eb68f636e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
c30fbe5ac81b496b14c6bf9d3a918708

SHA1
d203200aa21348a113920f0d0305dd81c4757848

SHA256
1620d1fb7898acfadbd2b76d9f79b9c2923014f5a68ad53efd54fdf9b84851b1

SHA512
7bbb8dbd677a118da1183ed543c71e2faf83bbfb08918536490f0dd592d1923f9c617b22727b36c4dc081de101630ef1e085e2526341365156e9c05803fa7ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
c391a406ad655855bff5dc1478c947e6

SHA1
1d4dc0a10d5f70045b9e00cf9964f953b5faabcf

SHA256
3b6f7e11ce3220eda46be73e2e092a137dbb5c45859da13eddb548786df9e214

SHA512
75173f4c6756b634a27861d87096e778d25040f1502fdbe4233b8596a5ea2ff0bed3d64bf9c1f19945c7bfa8effb3bc775da9bbec1f70cb6770dc358491699fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c2e398b237be59201790c23e4bb1a4a2

SHA1
71a6d9a59cd8d17d19b1bcfe2285fb899f1de743

SHA256
421b707e6aab290c61fe09f4fae6b83ab087cfc0eb95e4be500ec274040f14a7

SHA512
f6c4626c7f3fb7728274e47ff85f83fbbe64ed12a4b5142700a24877381eee8b366a8d28381aaac2a56eb5622523c844b551701812991dd78747a5afaa06c933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4873869e39ed41a22d98466ad7d407ec

SHA1
515f890238a54175cfbe23c07d60d22674d98a35

SHA256
a8b506aa219710e4f316c69896b5f1746800ca0fdb0280936c77b68550431e02

SHA512
d15bb582af2f2b1f59f0772ee8a1fec49fea675de8a50544d78dd6fe659386fcca2e7354be75e75922e01e31fb734c0a375d95452b2370a1e5a40447b3bd6d69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c95a95809e24bbb5d4b145306ebedddc

SHA1
550889f3d9500052700afda208493bb1afa8aab4

SHA256
6657561a6797d294aa7892436718d65d724e8336615feb15b4c55a583b9588fc

SHA512
64b1912747d9a7aacd7821c95846d486fc77f33bc9ae60feef27903069eea5c6a6759bf5e5c8c47f6a19e05047f1fa326e60b7b6e40b443fc4e4d265cfdd5af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
dc9e7c8bcacae6e215ffef687160091a

SHA1
16f8bd4bccb15a64ce75971cadc3bd4f8786da53

SHA256
4043ab90d0ed69a9529ef2942b115c80912fd7c4a06c4f815c553521bb43ebb4

SHA512
c51cd88e1fbb03482e4606e728d77403e0c3bdb683e7ac60ed341b9fe9f3887f26dd8f0c212774169ba58894e3faade0799c9ad881190f0d2ab9a348116d432d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b6f8468887a4e6324f177bd250ff8ca3

SHA1
ef01dafd7dd9ed3afd9fcf99651d3547d12af293

SHA256
3bfba9305528da49af857a4bd42e4b7e0caab9da75ee51a7a2baf488420391ba

SHA512
b840cf654af2b9779c4241e28ca83e7c1c9497de6516b7a7707a3c982e3c97086f449a928765466b7fe6af01e5c9d34688f8f7beb1f12c236af06a3a0810b081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3526c0dd072a0f7afa6ae91d9b7883b3

SHA1
31e401c5908c1abf5f621a849561c058270e35dc

SHA256
66c5e7f7497f9da33e7d59af9a98b9c27b564a903e121c4e629aa9b3342296fd

SHA512
8ff2db5c579794c02a0c271fcfe3de34c1ba585ec48a02ed12945d25862f2f985dba3ec26d78f7c9242cb3edf3fb641f01871b95102360cba9ed55ad90a736e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
06ab915eb932f5aaba2dfcc2f4553f27

SHA1
43a09f53c330b1c037bb5da6a445924195386e36

SHA256
23cad372e9e8b71ca25f281c4540d0da6a96c22b11819b284db879d7cf51f63c

SHA512
052850ce6e953231ed89a04dd595ed3875b40894fcbc6bca13d7183fe9b02d76297ce2f13ddc915e5546dd86c9c30bde837afeb11bd34b04a2271354b93a82b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57a45e.TMP
Filesize
120B

MD5
80ddb22d846a431a4c251c53e3896ad4

SHA1
89e034a59b0afbdfc161ee2fd12eecf3596e3fa9

SHA256
71196d71c356980a3653ac11e682fb4713a5d311eaf648e467eb9008b43d130b

SHA512
e4bca0644f892c1bba2f0e92c81bdb84b30ab7bc3bed4e964361ec712581d97343d9d870eaad41a99a0e417e4e1c6f0bda5936c6a9ed261d103e7e087d25bdf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
bdea6afcf0029ef8ba8324e91f7f75b2

SHA1
3f10ba497f7b263bc6d65c1fe9b429042cf813f6

SHA256
0f1e2bdb2899740e7b98fdf542116fccc4dcea84043a40b6c6a5975c3bd47716

SHA512
3376c0655bc52a9b6f3b96dfe11445676ad0217717fc5209c9b683422ef9c31c6cf305a927399ef98c89960f260ac23ee7f9f03047378d5210686a8694ae75c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
6491404a7d2b73c47a14363535ba1c5a

SHA1
7b53adb564739911a009d015743a77d4e1cf442d

SHA256
98ce64c4d99adb9edb9ade4f8e7eb790705104e1eb8e5c0e822c4faf0d477dc4

SHA512
9bd0555eebd516741fd36c743c8c1b5c25084c33a439aa04500cb519f6da70fbc9fd573099f877a39baacd86ae3be174dc585be1c82f7f2ad21e5e8f548b9b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
a8aa96750d5a5169c402883fb21804fe

SHA1
45465b8d1a1ea1f1d999977197c31fedb4994488

SHA256
76cc180235bd13ce89bcecc90da516bb1944f010110a0aae77752528f6ea4884

SHA512
a7989490b36ab45844c86fb0812d29fd9a8043b91c3d34f5d83f4ed7e6b24c6a3cf90fc42366fa8a81afeeff343c048088965c076df0934f753f0942309f5d38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\UserInfo.dll
Filesize
4KB

MD5
98ff85b635d9114a9f6a0cd7b9b649d0

SHA1
7a51b13aa86a445a2161fa1a567cdaecaa5c97c4

SHA256
933f93a30ce44df96cbc4ac0b56a8b02ee01da27e4ea665d1d846357a8fca8de

SHA512
562342532c437236d56054278d27195e5f8c7e59911fc006964149fc0420b1f9963d72a71ebf1cd3dfee42d991a4049a382f7e669863504c16f0fe7097a07a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi6AE6.tmp\nsDialogs.dll
Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip
Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\༑࿾ඒ⥃❝ᵉᆻႈԼ६ർᯖ┴ပດ╯ቌ
Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
\??\pipe\crashpad_4672_AHYXYPLQZXIALDIZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4224-607-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4224-787-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads