7a06bf10a4e8cc07674e6ed620fbc8dda4b91565d7c62ff8a255688bb9b4d4c4

Resubmissions

20/09/2024, 21:46

240920-1myrhszenm 10

20/09/2024, 21:43

240920-1k7xeazdpl 6

Analysis

max time kernel
176s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

imyfone-lockwiper_setup.exe
Size

2.9MB
MD5

f8b32e204dbf81a53f7af8049816e25f
SHA1

1d29574d0d26523b3eb394342e3ac3bc3ebb0abb
SHA256

7a06bf10a4e8cc07674e6ed620fbc8dda4b91565d7c62ff8a255688bb9b4d4c4
SHA512

f3190da71c180f896111efcc77d489b1ce454a2ed99477ca940a08bb48cd983b2dea0b23fe5690f9e799f6fa6bddb7bc7054e7c87783544a942380c0202f17bb
SSDEEP

49152:DhwMIHvI63WMBDe6Pu1MJ9TaPohZqJ3rZXYPlypM5HsSSHm7U7I:DeHw63Wmhu1u9TOohQJ3dhMJ

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Italian\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Thai\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\French\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\German\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Indonesian\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Indonesian\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Korean\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Malaysian\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Thai\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\productInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\English\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\English\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Italian\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Korean\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Polish\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\French\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Japanese\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Chinese\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Dutch\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\ChineseTW\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\German\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Japanese\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Polish\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Spanish\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\language.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Arabic\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\ChineseTW\text.ini	imyfone-lockwiper_setup.exe
File opened for modification	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\Log\imyfone_down.log	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Portuguese\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Malaysian\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Portuguese\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Swedish\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Arabic\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Chinese\text.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Spanish\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Swedish\UrlInfo.ini	imyfone-lockwiper_setup.exe
File created	C:\Program Files (x86)\imyfone_down\imyfone-lockwiper_setup\language\Dutch\UrlInfo.ini	imyfone-lockwiper_setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imyfone-lockwiper_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713424198918662"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{19991753-62DC-44BB-9178-6F26F27D84C3}	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4900	imyfone-lockwiper_setup.exe
4900	imyfone-lockwiper_setup.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4900	imyfone-lockwiper_setup.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4360	3052	chrome.exe	97
PID 3052 wrote to memory of 4360	3052	chrome.exe	97
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 4624	3052	chrome.exe	99
PID 3052 wrote to memory of 3988	3052	chrome.exe	100
PID 3052 wrote to memory of 3988	3052	chrome.exe	100
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101
PID 3052 wrote to memory of 2480	3052	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\imyfone-lockwiper_setup.exe
"C:\Users\Admin\AppData\Local\Temp\imyfone-lockwiper_setup.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4008,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=928 /prefetch:8
1⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff891d9cc40,0x7ff891d9cc4c,0x7ff891d9cc58
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2224,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4764,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3496,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4064,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4680,i,13988583027510218306,5224734725643837161,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4608,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:1
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4204,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:1
1⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5496,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
1⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5492,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
1⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5980,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5896 /prefetch:1
1⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6024,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:1
1⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4916,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:8
1⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5048,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6132,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8
1⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6560,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:1
1⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6120,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
1⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=5168,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
1⤵
- Modifies registry class
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6332,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:1
1⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6556,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:1
1⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6844,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:1
1⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7012,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:8
1⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7160,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7088,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7548 /prefetch:8
1⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7540,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=7032 /prefetch:8
1⤵
PID:4736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5672,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
1⤵
PID:4976

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Modifies WinLogon for persistence
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3905855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e15cd1932389b1d999dacf70f2ac4015

SHA1
b5c76cb9435b5c4cb582d3a80882ae92a4617c45

SHA256
88c74fdab0668f8401c86a70b7ce96252fdc815a1c4f59c0c316f02b0d838d20

SHA512
1f1d455c156992a64802e9d262eecb8a61749d7843e0bb5226d42a0a54c9278ce63fc5aedfae1d06898e97585739713f105bb5830705b4ec874426b1a2b3b272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
06e9f98e37e54f75660a35f09ef93379

SHA1
87fba9bc70e5c5ff7a965044020e3509cc4c0db2

SHA256
6bd463a67f814dd75e016afc16811d44efa974a25e95b9f904151ce9cc307a07

SHA512
fa2fec077b223db1877645cdd75f090265cbdc7a59d0cf8db2f1bfa21c201d359e2e700c51b9af2cefcd7a8d1153f078dcb5dc9919c2a347f4cd84cd66aaab30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
a23d1df820dabbcff0ffb0a8f77c5eb6

SHA1
62e3835321922ed6a34e9d4c74df3d4d47ea3ec7

SHA256
60f3a644939bc28d7703946b8287bce74fdc6a9a2c1d570fae59b01099dcbc9a

SHA512
99466cf5cea19f0dcb62aeac46fd0eb63ff61312bd8399600843731bd868931ad4f061cc1e85704598a4dc1609ec7983d7510f1e3759023604c4661d1381ae76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5a110c1dd737e5e477de32384dee2359

SHA1
003e0157e50f1fb273884873d66a2baaa8dfc5f7

SHA256
418c2e045287a75e657429ab5b25c615eb89a3785e51d29f9511eceebbf7c055

SHA512
1a5d427ea2907becc9be18a55b860731a2143338b2eba772052dad7210542ddb749cc75767f64536fcdd35d0fbf913a757c91e465011282b67d6f17db49730d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f18e00bbb50431c36143db638528cb71

SHA1
2885f5c97048005ca3a163e2a8184cc6f407f030

SHA256
e750aed5457fdf1ddef5d39469ca43e5f6f606d230905958e38c7fb20dd766cf

SHA512
05bd7bfe27301a81ca2d7ec9c210b653487a094da2b32a09a837550508f8bcf7c193504de2ef1dac416f56e0d8cafad5726252b169df10909cc9f244d0b4ccb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
abae48035979e411a37341d178abb35e

SHA1
ec6bce79098d92a2a6002efcce745f6642276360

SHA256
9c112ba87e93602fa7034ed9a6d10a8f08b95adf5d507b9145fa1a4618859670

SHA512
1d5bf2ed4def64f49bbafd99c9785e938be23d8ea5bfa62205a5c4d1969e4b922667b24c6ca2c83b6f4cc8bc283638bd9fba7e7c690414fd536b6cb723a6cc85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
90195bfabfd4f4883ba0c4571294fcb4

SHA1
40bd75006586b18bca7e8f904adebc5800b332bf

SHA256
a8836204249ff64844198ed0ee30a6b1fe73859fff8fab0520c7eed2d4c06f2a

SHA512
859201d76b1989632b57b36003bb9e7cd56a761adf3d6a1dd1f9a3fea7438b77279d111a739c8f0f2ca2bf5225378aad52ed7afa07c183f11925e7240cc05f5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9be37070152f2aa5e06bd7ae5aac4f4e

SHA1
687b28ce166e5df7a5221aaf73fdf9378e8b44db

SHA256
4fd4a7329dbec3b499f0569fcb3782146c3b024a09dc760ee7cbdd2061a9c507

SHA512
b96920777346a9d4f8547548ab9b21361d2a00556198e200fb91353b4833dfc61e88f2db2444de5d1a2961f261ac1a9ee1aba6bc1a4fabb78f588ad01281ca86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7a97012c7784d44d8e59098cc7ea855

SHA1
7b3af96c9b8239b094cf09262dca8741f640ef8a

SHA256
ad266747b88d578f5ed5999661f1a3902838ac8c0bb21e39eba239e307f808ce

SHA512
a42efca826ff853a056a6ae3897d8f0b6cfc65ac95149cffec4fb785bfc44fee892d7d848a2305f14ffd1fcdb6b3de71e3673b773c5102aa754767ed716d6b88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5597a794bcc393c8c6f21b6386a7b340

SHA1
8e1a7d501b399963b10f1618866acfea86e4d80e

SHA256
613cdf8f3fc9b80d41dcd19f218de586cad6c537b2c8a9afe2c58c1bfc1f10bb

SHA512
563b07339ec2aaadf0719848de06b3e5728dc98403160f9dfc362e02126823e66df9e79c5e45e1698ab0992b54382412a11cae301adcd44a1ce17036a1b3ba15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
053560e456a08981d2988d45f37af6b4

SHA1
9016b1ee4432a57df17a6d037757b79703f9c739

SHA256
fd95d4c79253ec0c11c489fcf15c648e16927e5b2d3ceccce851b79f3675ad61

SHA512
6131c6134029ba018764fc4cf5a4e6644313234e42f2c76d8a1ed15cf8cb72ffc027ea2b7c423cfa711bd1b5d573b92a76e80e43ba77946b609335af896be451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eeb0d4532e33c9bce2673a5382224f4e

SHA1
55bb087aba66af35cea5feec5b7de9144075e120

SHA256
db33ca69287b6e5cd9804fa72abf26183c07064fcde9a2165538ca23219dba38

SHA512
d9cf204d339ace4fcedc2d99c114e7820d7edbe66cf1c88f7fccd2dcdc47b270ef97ff6066690566758b87647cc8f0fe76eec6266e18abbd386f833b805a372d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78e7147f0b5c4da45f5e49d2f71448ee

SHA1
a4f21eb53e788e373af99e34df08e991b2f11a90

SHA256
7257ef9b75db0f87a5b6e6a85d97740df9cf0bee5ea461d510a21bc90bbfc2df

SHA512
a239cf4b758753aebcd8a4a772deb7b8aa90f44db8b6fd20e9bff3a71f00e9580740033314082ffdbf82c51107ecd764cab97f615c0daea6a48642f17ee52a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
933b0bd9729c10f3cbfef61c22f4403b

SHA1
de03d88e5fda29d4b4ec4c3c6a8b1983de8afd21

SHA256
9569e29f11b0b8fd702d871095ba15ecd0de689997a50b42f94911dc8f0a18c1

SHA512
01bee8fbf6044c9f739f0e41d5615629c8ad3ef86e7fa5ab8d25be3120c4747050802ce0b0fcb6ecdc779f78708b547a6563372d89f8a9b735c9cd86ab137737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08290bedc18a20f6c5804f49738ec9f7

SHA1
1b608a8c736943ffbfb9859eb8bed66cec76af75

SHA256
62780f71937d81a6a39a666efb510829079bd406e8bc764c9f4ec1b5d5121342

SHA512
de40b292930477a1ade0a8baeebdbbe1bb7d99ecc15ecd0d1bc5dc358006cd4818015fa4fd9e5c08790df4c0b9a2e817ee21b1eb73f916e48f459acc0387a921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f460b212ba661d8e02ac831bd5ab452

SHA1
26f9da3a5584b57348073e9e94ffe54f0671de66

SHA256
703c0f939aa985cf72ff2009e7b0e003c3c1fb1748d5232367c10ae5b805c6f6

SHA512
75f064ac521827de7a0f13c8dbef6b8b092b9957f90f158ba29ceef7826237454eefba6bf8403d5f6de4166ae8a4bdca8d67c0d018f860d947c7187419fbd50e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c9f5eb210d5bdf7fc64bc2a40709d1a

SHA1
0f5871bff60d4f6ac6979c3044ac28873a2bb121

SHA256
1c0c1ab0e96d0ab01dad3039f7f7c9b7078e0776524665493d2374e157ce5aa3

SHA512
78c577955faee09707eea74d81474576f9479e3f4764c730e86f0b3a87d46199bf1389032a8784edb2fa879c365f9816d95b3f045338a1ef31b17d9b9fb4f5b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
37125f6af5bb9a80551a2ec39018c776

SHA1
040dd3d37098f7a7745763e86e4c96fc8a621b5e

SHA256
89d5be9ef79edd10889badcda9e4519315ded7a6da8dc7954f9752f204eac9d2

SHA512
e7ec3f80ceb5d8c265a5ceb4dd26e34f806d988fedb4e402f738c84adc030601c7d8b549a2ef2634984d300c7e6e86ef4c854b2bb59c7bb00edae097bb0002fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
78d63d40b469cf0dabbd7418e8055bb5

SHA1
d50828f9bfc8e8a996787441add53f89b82ea195

SHA256
b7385b6ba341ce9f875a9252c3c4ba1d0771b411ce9d3e77eda2456706c4c372

SHA512
44b77ab88f3f65b0165cb69fae8fe82611283d9956021e6c4e8fa6cd3e5bafafef60207509dc2614d0df7df5062c35d3782f5b7bfcf94c1890f2ea9a6a82d65e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
47aae50efbf6e593acb8bacd0c035564

SHA1
f17a6c85251cf0122d8eb1220e3c3b19c20f6cd6

SHA256
32f2de25e5681abc848a9115c605209335178f039bda9fd1467494ef0c2969c7

SHA512
f23ff12363043153de3d602512cc8904d24169eaaeab69f51b9484c476d6dbd4b7a3438aefed7952cf612247012518575e81bf0dd6e55924337527577ef93240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5054e10e1cf545347d91b6c10844b60d

SHA1
0c7f6025cb605bcfb8542de998c2ee0ec04dd280

SHA256
643a2ddcd12ebf03cdd8f8c3f489a4352e133aa67fbb46637d7af6d174606284

SHA512
8d58556b3b472c0193a763371ebc70c4168e8b5530c557e43e617c0b6fd3b748cbf1e0db832db0fa6c9884a85d217016587c13e9626e0f8a8d828d3f3cb48706

Download Submit
C:\Users\Public\Desktop\ყ⵽᪗ন❣ᴃᘾ⅐Ꮼࡍ⊐ộạᵹⰉ⏇ᵁᓝ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/1684-363-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1684-540-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads