1290948df44efcfc44f75fc4717945c3c14ce87b66dc476bf0a2595e83e6fe39

Resubmissions

21-08-2024 10:47

240821-mvl6sstgng 5

18-08-2024 19:52

18-08-2024 19:49

18-08-2024 19:47

18-08-2024 19:42

18-08-2024 18:53

Analysis

max time kernel
170s
max time network
175s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-08-2024 18:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Morenos FINAL 5-28-21.pdf
Size

107KB
MD5

449dcc66293d406d6d2123e215121e28
SHA1

e89e93a086ba60df9023151af2d0feccac57529b
SHA256

1290948df44efcfc44f75fc4717945c3c14ce87b66dc476bf0a2595e83e6fe39
SHA512

26b7bb24f437e77168ec01efe58c5e6d229867c8e11d1aabd4c4a2a609afc29e92627ccf5c87b97a68f110cc28667777ad6d6ed483b7326d9c9a84af5785bb05
SSDEEP

3072:x3B1PGaOeIPZwrQOXH93afJ9MVYtB/tVwR8WV:x3B1PtIA93yJJB/QrV

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
78	camo.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684808251791162"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{3596F337-FE31-4953-812D-D34405C3B249}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
4656	msedge.exe
4656	msedge.exe
2120	msedge.exe
2120	msedge.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
5772	identity_helper.exe
5772	identity_helper.exe
5184	msedge.exe
5184	msedge.exe
5272	msedge.exe
5272	msedge.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
3596	chrome.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5736	msedge.exe
5736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeCreatePagefilePrivilege	1196	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	AcroRd32.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
1196	chrome.exe
2120	msedge.exe
1196	chrome.exe
2120	msedge.exe
1196	chrome.exe
2120	msedge.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
1196	chrome.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
2092	AcroRd32.exe
5052	LogonUI.exe
2092	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4140	1196	chrome.exe	84
PID 1196 wrote to memory of 4140	1196	chrome.exe	84
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 1188	1196	chrome.exe	85
PID 1196 wrote to memory of 2980	1196	chrome.exe	86
PID 1196 wrote to memory of 2980	1196	chrome.exe	86
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87
PID 1196 wrote to memory of 1836	1196	chrome.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Morenos FINAL 5-28-21.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2092
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=927526977984FF94E161966D1CED5701 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=04FB3CAAFD916EB26308BE92FD797755 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=04FB3CAAFD916EB26308BE92FD797755 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=92746459110668F5F960322D6DB4BAB0 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A8288882B63BB8C0E59CC14CCFA0DC06 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A8288882B63BB8C0E59CC14CCFA0DC06 --renderer-client-id=5 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76A4102DC1606840FF7961112D51F404 --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8256418E5F0372824719DCF20B49577C --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd394acc40,0x7ffd394acc4c,0x7ffd394acc58
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1868
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff710784698,0x7ff7107846a4,0x7ff7107846b0
    3⤵
    - Drops file in Windows directory
    PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4372,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1404,i,14353709125587247199,6398004274193643380,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a443cb8,0x7ffd4a443cc8,0x7ffd4a443cd8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,12712938969676511258,2315704374257370521,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d6055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
057ad4e714351e9b4d09962e54bb5f26

SHA1
8ab42596cfbed5f7f31645103731ca386984fef6

SHA256
08baa827a82a26386c3053f1cce70cae27c5957943da4ed3bf16ad5f765eae9d

SHA512
a03a50c449ea63e23ffb84152e882eb3904f3bbec72c08378e1df4f29cb17d863dc03d68114f6940c1c1e477c4f8ee9f33ab1e46cd2e686d7c2802f65768be68

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\67102a05-86a0-457e-8081-6b84f3c30947.tmp

Filesize
9KB

MD5
78186288bb8cfc14848b375dbb367c63

SHA1
f57e981915f87b9e9d7e3e21715895c327058606

SHA256
cbdceeb01d0ff60b036202beaa8ebf9faa12fa2a6ccdf57c3c5212e04969d00a

SHA512
26b8b8d4b5caf7be95816b4540eff2f715f791af14c402f45559e215f74616af8795a9c098bdcdae5ab5a4d943d5206042ce149500f1d02e8ce17e6aece72a6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b93679451d868d5784a5f744ff233f2d

SHA1
cd8fe304725c385aacf85fcb998d95173e25c807

SHA256
42ba936d93d1e6ce4e66be4480d1f853a19f816b22c4fd0e1f7752e0e16f1458

SHA512
02c202cfbf681bcc9c479a3846410fc31709bf466ae6edca6b5107e26d6ce6779a51a79617e7afe6668ae5b297d3d8fea81bdf663a09fc52bafc67ef60ba6edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
860593c98ca67a2812889da42fc8b7e2

SHA1
4c1980470b960f546db49077f2cbe69725faeb10

SHA256
0e88f327630027158ac0957cf5a50e96e54fbd8544be770f9ede36829cc21e2f

SHA512
7f0609cd276ffc57f5fc01e8e62ac9e4b296d9088b6534f70e3cb4653d44cca9026bac514f2e4efee8e309172fe79f664cc443c346fa3e84dcaa1064f51e356a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4a7d9332f7635e81505aa7c7f488b845

SHA1
111b0cbbc3c117a744ebe89c08786f4bb5de980b

SHA256
bcafb5fec489f6132daf60e6d7926b1b99dd12ee2398f896a6298a0c280e42b7

SHA512
f86c202e06f9118bd85bc389ce921a6fb896c6f3d2c9fc0ccb53f13ea8fdf1a67e61c57c0ac2ff5b46885945d9ab1dc864ff0ee330340b08f419edc027e39ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1a15daeb6260c90d887975bc863596fa

SHA1
07402d951597c439c78ad39ab4400335095d67c7

SHA256
1eae6114d5ce9728492550071bbd93b191ed3f20397ffc0df1763be77265c014

SHA512
58cfe7d0801bcea98b9a78fe6f431d4f388bbd58ed73b017ee71d2f37acd4258ad462e54a7717e01fa58845d451488192a9323d8dd0d6d004cbc63f04764f55e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83cc0b96f44a3ae71365749bb39e0314

SHA1
6e6b89231036c73194df93605f19914e98193274

SHA256
8a3402d7c979793f8f174eb17c632ab5c89336e751928fc410df8a0500ca7a15

SHA512
9831204e5ae97922a12a126ed6ba7602695874f70a56fda4473be232dcc6937fe9a01164db61f19e6427622e289d70cab9987f5a195b6ee7724a590c08c84c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5851437a62354dfc01ad30eb17e4f17f

SHA1
6a6c8a8ea63c7a5b942888e7cf9994e6593ebcaa

SHA256
a39c024b5764dfaebe6fd2d7ea044e543433ef8786bcc55f0cf941b099b99c40

SHA512
28a40f019fe16867d9e1f3b14afbdde52ce0a6cf9c27a96e010d51c6a589a5206ee21140572242d0d5141ed6a1c3774c4ccf95fb80949dd365c5961b885cb628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9208a828a30610012537b75c10cd4b22

SHA1
f8f60333d4c271e666f51a3ace777b80bf1c6df8

SHA256
c2ab8c8c02ec396c0d92639fdbbd8f716d440dfae996c9142eaa560f86f437cd

SHA512
8178fd6544b46b3bc3ab79d21eee5684b7f452de9f19e86ec7bde508b6a512625965ec3cb32f9d737f0fb864d788a9a349b8f2416c59f03de04753f3b9c2a459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5840e3472b923e779e3dba9b6506303a

SHA1
9b1c3b8d9e90a18aa8ad7b49e6fbb64cf3120fa6

SHA256
0afd69ebdbb68ea70d27695d7dbb5cae9e9d36d4c36bd7be823cddacb01f6555

SHA512
23d63515c3d757ee18b1f30995cdfbd4266ae982b8c53690b1ba2f27f751ab3fe463e2140f69823e6d686171985ac613d81a9a2dd418870b0c84532970a57de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25429f7ffc62c4e2b6d2ab5487efe2e5

SHA1
0c3c05750436cf2797b200c634719ce5539736e3

SHA256
508361f586c0780fa90e54357d52109eee6f8c31a6940f554d44765e4c06b396

SHA512
1abff24f862054b8c45534d4aea4f95ee418270693e337b25e1dcf0cbe4f7def9afea5cfda060281946cb60934ea5f20ec5cca86bcbabd81a4b8618bcb20b5ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae8a42d8f67ef160fcc9965dcc9f0590

SHA1
8b4800d605db118d75ce40ea920efd32be4b19f6

SHA256
b02cb38cf7cf8642bfe384aeee07ff0ed7547533860e9bb0af3bc4410f03745a

SHA512
0982e7df6e0e698746984b85bb24bba1de5f3874b9f0e5744b0ac8afb70a1a4b6dcf284d43e6a83fe070d5c00eb038c3bff484a3c57994a8abb2f6bfbef622dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
993952c790ee7d16e06aa596daace26b

SHA1
daf1b642c1108319a4a3a5953953c4f55d98637f

SHA256
416c568d0ccebfa35f98f56eaed310153cdfe169adb7c7dd15d9841436e5074a

SHA512
8d1f534544ebc9b84184fc480dd21c83965406f7ef6164d857765c3f9c7693e178e4216ff99509f66e1808b15adcbfa5abe9eb9a737d4732abad521e20ce7b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc60717f0e60cc9eb6a1dd269014c40b

SHA1
e29eb4d05ef7cc43588072456f67f84c1a61a1a2

SHA256
12ca27272848c01132d993ae0e809b7e393e4b3f84542c3e889f12d341378ca0

SHA512
fb87e48315358e0e2ae081c3bf3a47daa6ec38b5ba18496b38e12f4b2a3780ce5811c9849365a0383cbe711a8750b320ba8a5d70c5ab9c3630407becdd21b974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc69fd00a0e83d8c5a00fed4357f0eb6

SHA1
1c0977f1221ff32285656717e5db06bc989b1c13

SHA256
3ef8fd5be19a0d286412fb6ac87e33c7a6780172742b23c8944d922cfeb83a60

SHA512
859dd3f474c5703a4a2862692e91c9f4f71ffc43c6bed5576ef671c1a981608bd46218dc1a04d0740c4b72fd408e1998ec09a800773808b6fe3a67f872b10604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43b51b3ae0595913d41a65c78522d91d

SHA1
6e19b90d10fc09cf27ac190116a7de7d4b9acf55

SHA256
78d3633e216ec40013474fc99d037c67da0298292affb253ec6b407a16473b85

SHA512
3c6f9fe400eb808b847ce87b54f4eead8c2ef655db0ebf43356d7cfed2cf2d421c9103b7aab351073cf5d90c53b3cd0fd3f5ae17bf4edaee9213448fe0614b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fdf00d16beb5821e0688a5d4fe7e63d7

SHA1
85fd4b7765ea1c9c64509435a5b7c517322eac88

SHA256
50d9002011452f6a3c600f37594ee5e8225dbbb4aaa4d9d2d84645f908fbc266

SHA512
8af8fd28e9a4c3685855cebb2ea52c206a0c39e636fae797743f3e52ac481d939ba7fb93ba9b0d3ec304e582f688097419fcb76492d85354297eba9711bbdcee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
e01c006dd22e7704c6b420e14453f7d0

SHA1
86f8fe7217bcbf4d82aa0c92d9210cf4f27d864c

SHA256
8790a9fab408b3859dce5d69aff3b93ba741aaaee2522d2e288fe79e403dc7ee

SHA512
c98d93cd70c83f0d977211d5e73fd33598c37c24a4f616cf1eed816a489f3c9a6256704a157bcb976039fbf774de54821963a89e174683c68e5ca85c49c42a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
b7c6c1606848d62f25c60112e5cce519

SHA1
ffb532d73cd8be7cb54d06a6d15e026ced2359d7

SHA256
2fabb1f4105ba2d064f94d74f90a8c5ca14bbd2abbb61dced6d5f58641f171a4

SHA512
7ba0696aa8b3dae8da79497a5cef2576c277e28e34adfcef1d29d66b92cf9d20f01fe73ed31569a5b27754b7a3894af187c886d00d591fe6ae0b61577e91855f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
2ab04d926d248364e25bb2011205aa4d

SHA1
dd8691cf44cc5e728862853dfb158ceec021dc34

SHA256
9c2c541be94cf85c57dc31ee101c69bb4d892deb9496373c711af9a978852f22

SHA512
1e9b617dd05073421c8082205b3cf7f2785485e9a37b851d995a2dab197493c6c65818b0307310f2d526ae4c20ba219e2c05d414f0d7ef9dfd99804f68ee70e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
df3754b60039be33364855c90ca42d69

SHA1
16b4cba262c78aa21158905689e2a65c13c02398

SHA256
4568deebd0e0604f6b1d8b25903432c10a7005280b0a14c4fee1691a680c0f27

SHA512
98d200ea9ed1fc7b46d425c4b62fb008b5b4d124307109310952a86b4d035d31127092c6dfc073a0d534899ff207b6d86fecb6f1cb92c3b9f823b7a52bb12d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
58bbc7f27da6c07025d6b198c3d89fed

SHA1
6097bd1b4dac3fa3cee39c87e0a2f4c5dfb4d627

SHA256
846731a9b60e4731d5bea8f0c9a2a932878e0f48114cb2adf8d112f54d14c0dd

SHA512
648c1844b30a6e440c59ffeef2719f45eef7bc9af2a53997f050fb363f2e677d37864e45ae83f5d4a7da03a870610110c32dfe35d5842bc3dd8948400debc296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
713B

MD5
883e131bfcb45881826e96271e1d76b9

SHA1
30aab60fcfd1fdbaa09ec26baa1f56732e75e201

SHA256
cfbe4839e20e084046d15e92e8a00ca82c54eb114c141865e18964ae2ceb349c

SHA512
cb2366efad161dd05bb7036bd5c672f0b4b2e54384735fe41b093e3005746d751a0d2b85c2c49109959575c8871ff213c321848c31da032dec01111d0f6cffdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
720021f53b1bb8619e1a98ffc370e7d5

SHA1
78dde40e0b7c5b21300e41354710c71fc37cfbb9

SHA256
8ae577b283d8d7f542f61ea410587b05247b4177dd0c13720d764ccf4459e08b

SHA512
52e9f2c1124d20b57703c75fa67d0be86e6551d6008c1072d31c6fe167c75de8dc431aa01362b1965f27c3269b589f396a1630e4fefdfa469288fdb0374641fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b4212dad09f7e2a76ff1dea0b4684e6

SHA1
319b4fceb864fe51ba143c8c6a61bf3a688ca266

SHA256
8f0ce3ebedfd84cfd4477d9a7951a0d5e0108b5fb7ebbae3cd4f61059458e1b8

SHA512
486cbba956cb620ea65dee09908ed9417b88b603934f83c0834ac18eeeaa1822206791e225913826fe754bde089d53ff9f21892545eaa1753960e1397a1de639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6589796ea138547e4dab868032f1ab88

SHA1
5d2aa5de0823557fcb988438779995dabebf8b81

SHA256
0caf1499c588d1a8e5d0fe395b73b90aef1572d8a3ded72bfa2d4f890017dafe

SHA512
575d1d12ab792fb2579792c163e137c5665b2b657bdde9a0d830e5621f8dc5b939e99ceafa94fdc546b0ec09762a8608c41d9e6448df8a5d7f5037a37af83492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce21fbda721e1dd04c7ab020f70477af

SHA1
fcfec45e799435fd3296692a8d762fa2a53d524b

SHA256
e7f00ab753eb5ec2b2b4ec3dea3d0dbb312dca31523953ed18d72e25633589fe

SHA512
8bf80579a38db808bd75c6b61e234ee4fe27592893a8970169d503e7ebf8db135299428d4f15b02b6e2b948e71c57a8cba27c28be9bb206d0eef1cdf6e4b12b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
1b2236f1e7769ce490695b749b77414f

SHA1
7b3f5855ec85807ab5ef971d800dad185aa6c87c

SHA256
d2c0132e68c00c12b19a13ac01bfc2bdd28ca43f67b31cc5a115cfc6be947646

SHA512
a1a96a8653d13cd8d9c51afa37ee65c68554cf8ff3fddcbe334e89641ed9bd1dda8cfb32dcc712855357d0f0899aa25e1590466c29d1d76e999b6541a5df1492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6829efe47b8d059cfc72b52ec62d168b

SHA1
e6fde05c9e2d98ef1b87e20ec9f963f185c36eb0

SHA256
dd03fd1e57086975a2b306f990ac488f730ef587677ea5d6097cfdb775e8bb73

SHA512
ef4031554d8e9c4d02092177eb1855314a9295768a277b742dacdb105ef7d20565be8ef1cdd8d19861f3579083f81ead6b1b98d3e3f78abca2139d146312b616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
511aa015ab6fa30ca31309d224f69d52

SHA1
d47c55502c3f4ea127bc09500fff557ea0020103

SHA256
2cd2be435546b98bb90425b284dbbd13655079299ce54ed3642e5f8c70a25268

SHA512
23a5d8fc7c7c9dcfe64f36fb57b9fe3fbd8f8a73e6fd7d623b8520120e1c257d830066c68ad39771991705a7796a55e503a135852c26ad5ebdfe499ff4b56586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2a31edf124a82ed3c3823b8d7bf0087

SHA1
d42230cb58d79480ff22f5f10df03ca86d31d83f

SHA256
9df0afafa5db74adb4fa5389525bd11fd7cb7a4c88663e6d5635301cd2f6b7c2

SHA512
335159c89b1ef73d99e504353d0c8497c7fb7bca2cbe3c14e57e09e9a36f80f7d0597e611e72a27a9953c04856cacb5edf5c4a4ccf66e304c937b4027379a09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d904284d7b9b94e5a8f36331f9e4ed2b

SHA1
62bad749d20adf2945a955229e63504da7704485

SHA256
5c1036607dda6e9e62f5012f9a26f04e998b3608b9e97df018ade040533eca8d

SHA512
5ef611acc5193db46d4de1ed3732e7e7d3b2597d3dd52b91d4fe2c091ac97554054556d36e759be73d84617190516f58d8567bc438f558e326390706a8a9f84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
273d7d47450d9711fa648ba130f814f2

SHA1
4fa98922b2591b8f0357ec8edb23e3587b09eb3b

SHA256
bcb958fd8d9875489b231c181691c666f7dfa64cf39617023ed2a0a808e40374

SHA512
f37cb52733ba7a95f62aa04ac9026a1380cb1c49447370198978daaff4287540014695bc959d973acc6fd63c152f12fd4a37b7c8a5a15043b4f03636f45dcacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6ee53c6abc92270da3472afb530208a0

SHA1
92d5d216d1147fdebb372d79e10531470bab2f73

SHA256
85748c1a0457f986498aae79d54c798fc410b921c2f2b938d1cc1e6eaaa85456

SHA512
5dab5ee9f565d67934a9526efbfeb60a9092bb98637fb2c3673b6c2ebb63906040133a32e8101f32164b53021c27ff23b85a91991e36cd5d3a4bec9aa864f19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5852bf.TMP

Filesize
535B

MD5
7db48e1da494d491d99559ba0b03b4b4

SHA1
264624ee155d30c89b0396957d874003d084b47b

SHA256
25f6a9125e0c6aacaa6768a3b726dbee6136fdab85d1e61dd307451a7b7a595d

SHA512
d530ffc39252f1ed8774f5ceb01d7973f6637a1a04da193fe691b9433120994af0eeadbc5b2c3e5778bc1b8fa8a6af07860d87e8d869eb9c74ed09d87a09804d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb6deca4f2af3150792710419f29cabd

SHA1
31bdf15d55651f92cdf4a0f57f94df7da79653c3

SHA256
ba712cb91c4e1ccd588ca759253d8c3e87da1fd6b13794cbf7128fd140c79042

SHA512
4fe9a6d3cabb2dcf106af4dd1c113684c7063758afdfc3d0f01d4127f3ed07c087465a16887fb1a7bab5c67602d5904e9064430b9fe40d0f99d63e7b6a4eb746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4df4ff2294aa92ae2d4880916b4c0f82

SHA1
16e40350c4aeb7f9a79d72eddecfa76be523f51f

SHA256
6c0793d2d6ec26575be5e03d2ce84b9b35807466ffec8465006283669acb635c

SHA512
068074b9de6ac5bd2955da0f4f5dfa9ffd73a257088978cc84920557b5309fbbbd1be846a45f3e1663172375f01a6ff978148e8049446609e5011e6c5db7158d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75090ee318d36d8cd25f77c526c87b45

SHA1
2f72a6d59f88a6c74655051ba273135689d727e9

SHA256
ebaab461512b806cc3744a6761c64656ebb34458020345c204fac1aa9949bb81

SHA512
b814253190f3f83e4077957ef760188cdec3ac0055d8895472c0f59fd20e8b436988ef875ec0835f1ee3fca00848b1bb19554bb91ba04a3619409475139f0a61

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 620647.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\╫▔ᷞᯝညᥬ۽␗ἆ☱⬡㄂Ⲯ❛Ⲇ⧐⭘ᕭホਉᙚⷛڨ࿩݉ဤ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2092-374-0x0000000009DD0000-0x000000000A07B000-memory.dmp

Filesize
2.7MB

Download
memory/4844-932-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4844-1110-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads