2e97ecb6cbe30536c04b3049eb3372dc6f3ef71354f898f448d4fdd1a560da24

Resubmissions

27/06/2023, 22:30

230627-2eybfsff67 10

27/06/2023, 22:26

230627-2cnn8sgf3w 10

Analysis

max time kernel
26s
max time network
30s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
27/06/2023, 22:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

redirect.html
Size

6KB
MD5

0b375fb53042dad5215bdf5b50b9f8ef
SHA1

cb1c83d776609d4a50ac9a3232423979513beca9
SHA256

2e97ecb6cbe30536c04b3049eb3372dc6f3ef71354f898f448d4fdd1a560da24
SHA512

524b0c42bd77098c44d09518a02b23ab98653ec0c10621a8c1487b7a27bae60938d9cb1e14914985bdbab1e1691f65d802c03c2c59036451dfe5953b18d46be2
SSDEEP

192:dPHLxX7777/77QF7q0Lod4BYCIdDO/XGE:dPr5HYs0+CIdDO/X/

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe
Token: SeShutdownPrivilege	4228	chrome.exe
Token: SeCreatePagefilePrivilege	4228	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe
4228	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4208	4228	chrome.exe	66
PID 4228 wrote to memory of 4208	4228	chrome.exe	66
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 1948	4228	chrome.exe	69
PID 4228 wrote to memory of 984	4228	chrome.exe	68
PID 4228 wrote to memory of 984	4228	chrome.exe	68
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70
PID 4228 wrote to memory of 1988	4228	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\redirect.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff94f999758,0x7ff94f999768,0x7ff94f999778
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:2
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1820,i,3784544630158491730,11896086333620023256,131072 /prefetch:8
  2⤵
  PID:4732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:4104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad6055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
702B

MD5
2ee92a9fbb1319cf1608f875602647d5

SHA1
2335fe1e046187a3458674d3d5e2fb6a48eaed6b

SHA256
eb7359b2ba313c74060f7a7ac04b5c90a2079744fb280d8fd6b02a954978ef25

SHA512
c98290467ce6f6f10829df5f669a8f54f92e365bb92b5fca5597432213f72d8cad0b6b71e48192ee8a147f3ac80f00d3ecfc355067cdaffb794bd1e15c494bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4235b8b97308a2805139959b9c103041

SHA1
2798b35eda195db747d69a44778842470fdcc272

SHA256
01654a7a86fb38d3d10e7d1ef5de16db95ef7d10ee475311713eebd35753f5c0

SHA512
12d6822460f9a54ed5298c5f261effa54405b77484c174ed081068768a0421b15d08df229b4233ee2d2b4006238e4dfa6e4d5ae97894e492616878034de1a9dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e82905aaac1eab5778d93f85bf927d1a

SHA1
6c503c262bc9a7bc5e2e9245d41095cb26ca2850

SHA256
9a9b369a603a680e4dd9c013ace2341ec86f62a2d6ac73ce0eba43e5da12a944

SHA512
964028fe30168b7cb3bfb1fc31b22b65e33bca585c5fbc51447ce240c8ef952e704861b92bcca286e5927ebac8f5db3b810e38d8fb500ea9ebbd083e1dec4a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
c6a98d97554c45b3339890f293a7517e

SHA1
47d3d65027c9a26371363bfea9771dff395e7f96

SHA256
9cfa8dbd304e9e80fd5eb26ed662ceb9a947e2ad6306c43ba2f36f38a11cab7b

SHA512
861fed4981335fe52802de5aef84a68cab01668ab9e2378e2db6cf8f8180e42a3854fa460b436a9c628e1f18551e763882c5d3159902edfd6dfe519b993be72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
993dcd23c46b6563db5ba1558485df86

SHA1
c4117cc99a11a6f1974573ec0f697de6a7432d44

SHA256
cdf0dc8a86a1d5055909aa6111e45be3048fbc27fa2bb860b6e2f3f76b6bf351

SHA512
f06ebffe71a1dcda0e610243937e11499d10daf27ae3bcbfe78e593e2a17505eb652bf949ba5102eb5d7e7fc8516c1e773b72c168b0bb52e550f8634ce9dc434

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip.crdownload

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\ኴⴍৎⵡ⍱⺂ఖ❂ᡃᖥೇ⩨⅘⾗⹠☬᪸⅔ິሩ⽭⣣᏿ᬼ❨ᦱ᜞₅

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/4104-156-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4104-332-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads