bfddb29a0802115a8fb0192c82a7dce62c2665cae567f7874cd11a1b7fa4a344

Resubmissions

11-08-2024 09:34

240811-lj7spatfmr 3

11-08-2024 09:33

240811-ljm4aatflj 10

11-08-2024 09:30

240811-lgn8katenn 10

Analysis

max time kernel
174s
max time network
176s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 09:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

groxmc.png
Size

2KB
MD5

5023085e12fb0144d7b97ef02a9f3087
SHA1

241799fdb6fad6beacd8940e3126a4be043b47ee
SHA256

bfddb29a0802115a8fb0192c82a7dce62c2665cae567f7874cd11a1b7fa4a344
SHA512

c72ab5bb7b33f49945cb8b248cc114ae84fb6dd58f876c121c1ddb5b64e38ef7b637fbc2df5c74568ab8d385b76d9798195a61d1b494baed33b61231135db5e6

Score

10^/10

defense_evasion discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2720	NoEscape.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
77	raw.githubusercontent.com
78	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678422671956827"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier	chrome.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
688	chrome.exe
688	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe
Token: SeShutdownPrivilege	688	chrome.exe
Token: SeCreatePagefilePrivilege	688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe
688	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4492	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2308	688	chrome.exe	86
PID 688 wrote to memory of 2308	688	chrome.exe	86
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 3112	688	chrome.exe	87
PID 688 wrote to memory of 2644	688	chrome.exe	88
PID 688 wrote to memory of 2644	688	chrome.exe	88
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89
PID 688 wrote to memory of 2732	688	chrome.exe	89

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\groxmc.png
1⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80b4acc40,0x7ff80b4acc4c,0x7ff80b4acc58
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3316,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4492,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4516,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4304,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4916,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5268,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5224,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5500,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5584,i,626409701226631529,5371150433730147834,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3764
- C:\Users\Admin\Downloads\NoEscape.exe
  "C:\Users\Admin\Downloads\NoEscape.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - NTFS ADS
  - System policy modification
  PID:2720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38dc055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\273bfc80-3885-4805-9ac1-296a5d0a0b6c.tmp

Filesize
9KB

MD5
3acfc02512e21e41a6b56218355903d8

SHA1
d299bf371c313a4c17289f6f82bedee00094d2db

SHA256
5bd5a0630840de834a5c5afaaaba258911c6f28d74cc178a2c7b804429c73b53

SHA512
c0eeafcb9758d9ff0c2df3c58abb18287b98a2c60f35164944603fdba8f191f32e7f48aa4bca906a04007d8ab71b84c27329f557d7857336f5b9ed8c6eef6b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\695029bb-b5c4-45ab-b597-70e2099ed9ae.tmp

Filesize
9KB

MD5
8ea9c8eb269d7701881479e0fb2c79e4

SHA1
d9b9e32f773b3055a6d80a512666ca40b1a9272d

SHA256
224846e02b272101ad6e48cf01d64f09a847b81014fb2b7e4b4e5d06ac4c5783

SHA512
1f83e68e96e5243da012254e5a2f60a8681b78afff06371b841b3a1e117d529855ae06f5e460aa4a2cd4b28bec3031f711d5b39b2f9eaf7f1e196e4c1e33ca8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b3dd74a6a373c98d768d555549a41924

SHA1
2e7f40288650d7b2be03d04642ef946b981cc6af

SHA256
2f12ed555eee277d8c437fdf3732457ef617b1ef9ed2328fb0b6243e85578541

SHA512
04c8f6c5126392690945f64c30a31adc6a067e4d02cfc97ebf8a10502dcc468a1377ba6d67e80baacd17b2dee64c78f082b1f95d7a5440c1b510e7de25f5e977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c6a9c39d70c3cffe1252edc1aeed3f23

SHA1
17d3bd437728c38184bce7be9a98139e23f3471a

SHA256
f7d4fa24b35237870ad7ba6091a71cd9a99b78702a34f52e2ed53d06219b301d

SHA512
1acd5e52ea44de1d7a34aebbad210264c6ad9d67977a625c5aac89066de040b511361b53fba10526b7ee40436a65e99f18a7f1ddd5fa1a7ea152ad51dc68c034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
879b567b97a1f07259b76fc9fee69923

SHA1
21f96ccb2bb20ca64ef7d443f584b57600f76d2a

SHA256
201983cece6fd79d9919411595075b3ded4a744b1ad3afee04d7ea86989fcd30

SHA512
7b16ee5b57c74c62e44e47a0da6d6b9ab193b983885cfd7eed515fc2bdcc1afa52079517862aed43b1e6ee1863505451fe119e80740bdad92d301085f2883c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
4a353004ae8110525a608169ca34aa89

SHA1
7be5bbe4f2d26b12ef924783552aeb954bf50fc1

SHA256
e5fdb515db1a7961b8e7defafb11a4175f52ab22a3cb27baea31974f5d28e7d0

SHA512
2ba3ac4915e3aaa453aad56b043702a49b36794541d9f85a87cc7bf2089a3610ccf553bd70eeba8cc7df804093e5a3d4dbd278ba187b8222ec8f48ce65841558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
42b0536fc5ade2f43acba775fdc91cdb

SHA1
8ad8acf812bdd052586b10a9e7a4c26014935380

SHA256
8de78e7475d89f2614c752d6c92255c297ec4b57c6efad54ecd92e779e6d559c

SHA512
42f02f993dba4204e547ee6e8f155edf75df32bb121333b07daff2126adc87f440616526fd4bf8aca7ed01c104eca8583ca8d4b7845178120611aabc5a151a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
dff33334251660ef9a852747c31001bb

SHA1
8ce603f0b535334057c7c498de869662de5c2364

SHA256
c5755278f6683ab625fa068dbfa189cef4800a4ef830e224f31b53cfb61c1c4b

SHA512
88e67dd912b38e75953141e4f50653e969f0189aa05b23c6e54525d231001d99faa20b28ce2c409cef2ef325b9e068dfba63441b42b0135b0592df5535a7fe9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
62c31d5aac3e9e2ba917921cd6c19662

SHA1
f0fe1311da0f8fd2c1e9b64d674a91b100d81d86

SHA256
40225b942a633ab5baed1496158b0906cb543db37963cdf45f010308fc6320c7

SHA512
965e3a0e35755b2e0f178c6211ae0c8d1826360b3011d5dbbfd1a523db6cc3f0de6d1f34af83b42ccc76dee3429aa6414869c979239fbdf72c3d97baab41d298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0a8d2911cc6d53224395836a08678d30

SHA1
c898eec35d6a33bbb88bd2850b7f316bc9c888c2

SHA256
111bd5d47622a5f459aecb499032a0aa35ee3f17e7e59e2d89689456b7496843

SHA512
f89ad82b8d4d7d3b8148f27000ae228d1311537379f26a200db18ce96debe0389ef6e864b1463515aeacc4902d156ff4dc131cec07bb7cd60476ec7434e65420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81bbe1b25ea7a4d4eac4c8dd30e59e50

SHA1
5377b66d904df6ef3560f656b6533f796b8a5761

SHA256
ab5e56a4f025aee83ec90eb7179456fa3c0b8b0747c6fa2e9327c873a2e8f364

SHA512
78d2c0b8d5596b4ce1fc2a674c40a9984370a7e9ed7805be955e9c51454cbc0dca5f6cbd8e27ee39b15631774b153b3332dead8a842b06c15c3022a5d1eabe4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
91d39aa674fd49d09451118952585fac

SHA1
571bc0e2fda03f19274f87c43416cbd6252971c0

SHA256
d770e4751cc72caa901bf54571e6baa846dff20efb01c33beab83d5d0f4e71c8

SHA512
4a84cf516899aca29beea11695036d3073b4564e06676c26a0e06f18f0bdd9556fe2c055d932a5b402b9e10f040d7017a45bae884ac4f6dbe12c45d738697156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5fe9ced3b25ed0337f61da6d5ef3598b

SHA1
15227d51533d58ae78cb75e2e9aa2a552d067d15

SHA256
c0763368bd4716ca4248a355d1ab1b1258f8897cdccecce9d3e496d5d7d52e0c

SHA512
dee8fc7407eba8a16031b233243f435d93feb1b9871e4bd8e2b03fd7d34264885ae1951d5727d815d80751c37023cf5df48ba1d32470cf3bd02f2f2b0acf1d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dfb0ee545e09020434943e4c0695d762

SHA1
f9915196c197743a3c0438b3007b3080a167d160

SHA256
7ddc01353296e7c51003cbe21c83aa376ff8c8f4f6ab606e07c40ccb98114737

SHA512
62f8153ba0d868f744619a6f6d82985f8a8bf952be3183fa1939fa88ce968aae1f11c1cccef6d4c6258a477a15061d4b4e4c55f6f9778abfd2a219a2ecd5e58b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17af014e140cfbf007e325ffe5c74518

SHA1
615caaea8eba307075ce6d102a4cc548a62872d4

SHA256
9444d71563eec647c1e4a24e5908154387d86cf01eaf88d10a5df70f7adcb87a

SHA512
7ac7b81466317ef5baea8d87d72780672f5b6cf71da9eea183454cd0691be25383a1c3da13a6d4fafc81b2f83d67ff5e1b78f9d801c67918e950fc1e1ec9b52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe0769301203fb0e1d065c5f4ab228c7

SHA1
2bca481fcb0b7a4f359198e11a936c2234a0c291

SHA256
d0c5cbc4b6c53cf2002b2e8de58b7267e70677f62bd98984a668b9e691d115b9

SHA512
b03ef2dd243ab28c0efa775a412af4348b3a9063aa32f9fb3d1fcdcd7694ce206b7ddd3b178d494b3c69462e4f1e60b8722a93fe18612b9656c2e213130caf8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca0db7e36d77d4dca289f54fef72123a

SHA1
c517620a009b416f15f55b04257bd334dca99712

SHA256
a551c3897cc019afeb9a692795e5aaae2fdf4477a98abce2ff9576ced67189b2

SHA512
72f6cb14717f5cbdd27de025a6bf7c8ce7040ba55921f832469bb8f2f4263dfff9c2451053b8d03981a7cec70d6dd9d9a153bd2d341bb3046c83c988d49141fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
358334b1ecedea1f491499640297e816

SHA1
ffb1ba36fb87eb3d96cb70ac947ab9519bda51fb

SHA256
39e6e8db86e2198f335ee440ac406e57877d9212f487934083c16ed9daf3f860

SHA512
7fa0bee1653a8a801d3ac7d96c11cfcec015ccf01841d02e6caafb22064de18df92a30c5d9333e52db584124dc06db6fce188f8e5c6743e9c958215db269c328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e84a4d4e93844789076abca47f879f2

SHA1
335e6c02ec70f9f65a4db91733c49eef0bedd3ea

SHA256
e3538441c362cd9c5fd3a383b633c94ad1c587244794b7e17b6551491d4ca868

SHA512
23b4b702d8a7de44952910748468e14d5ab31280153b9f0a1ab73f2439928c30fbf98e46ff8817671d95d9ddf653c0f5c4ec57d1187c150c91dd1a63217cb03f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be8cbd3fdfa95e41c2c488212d2da5c7

SHA1
627f4d5e4089c06db08c2077e58ac3fbba0f5a0a

SHA256
8a774a075e6065286a908f3381e07e1381cb3e84fc715b67ea3fa8fc1edf9e9d

SHA512
6d37add72c36f6457f1dfa9e59e88642de0b5d49cbe704ea4f3892ca5265a32176357dddeaa2a30ffb965e1222b9c047ac875e53ecd8e1be6a528b9c3f06d48b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
4d322d4586bf2013fa7c271a39a5a029

SHA1
f8cffa6aa7766a28d9192aad74f554e617d56838

SHA256
19c545d38748a3fa0adbf6be17a5406474baf19425b143cb476c9483dcf03d8e

SHA512
c32ddce5db4fa7e37b30fdbc566d66b47143467325f78a8064f61bba5cae0682ef1314c2186cf2aac1f4d0487b6b800101122e58a12ee916b00d0891ef066fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
d76ead0fba78ed2cd755167ce99c96af

SHA1
a9e14cac4eea211585cabb437d42ddc1102c4d26

SHA256
7bf927a7c061d4a546e44d11d29fbf6bf5b1bbcd0b21444f9e7c690b6e2f30d0

SHA512
a9b4d8f9f3f87be9c333eaee0ca955c577a2fc246f039113a8a991cd4a7e88e166c2e9b0fdc176470c0ba86c55846fccfb6a3c8982fbb8024b8154c4dd1877b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
9123155369456d98427e1a507f2977bb

SHA1
6357f3b8f351b6ef0cd5740139e97daa920a01b0

SHA256
8cbfb25f896999acae197d1449236f40a806b642770c375277ddf722bd88ceb3

SHA512
e0099fb5c78506af3375e50a38a0f5b7acbcc9acc9bc6e2bec16d7f45a65acb1f9f0b9f7eb304e9f1282ab4bdb69cec008794f030052ff7b7d51b24781e5eca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
9bc99fa2c79f99e8b2c66d2503c3a92c

SHA1
3b2ce92d3082b062942205cfce82c5203459d4ac

SHA256
b0cfc0d51641763479198f97fd0dbec19bfc04a0b9ba683bb7e959574a5d06bd

SHA512
aeee436fc64149f6c9c424331812928f95d5a99b055f43b184846d52cf19dfd165ae72c31f44abd4a2479e52ee44b92f032179ba1111e98933a5e66d3d74926a

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier

Filesize
168B

MD5
dabe90bce9e1f3b45df4cde1228a2737

SHA1
32e1c8982830bb1b4bf5f9bc9ce6443e04d5971c

SHA256
46116a36747b2fd9f0a5f5de9ace495a5d740b33112ef7b792e0844e45db8dfa

SHA512
d98c49bf68b28fc4ea5ec834159f59ee996b353d5a1e8d5f0350adfd7b2581f6dd3ad91defbd4df2ea7f3c7f0ca5d42a07648a018f651ec46a64c08ae4c7b90a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 915037.crdownload

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Public\Desktop\┮ா⸪ሧර᲋๚ⷄᷯᱛࠉᲿ⸾⿭♈ລঠ‬⟮ჯ↫❒໬ೝ᝻౼

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2720-625-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2720-626-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/2720-822-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads