c987ef43cf5423d65f71ac48cae736bfa419d194da02487178e618e922be995f

Analysis

max time kernel
183s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

account_convert_icon_136995.ico
Size

66KB
MD5

1836b6b594dc60611a302d99fe4d6f7d
SHA1

0a5b0ae5d3608ca46217d59f4d5f0bae18b28cd0
SHA256

c987ef43cf5423d65f71ac48cae736bfa419d194da02487178e618e922be995f
SHA512

c4232cd1444a7cd228e13a63413a095201f8001ae5809e39ab6e68862a5d553c555c8cf3fbae3a7615a28c87eaa906524a71fe5ceca76f8b4690dabbd8841703
SSDEEP

192:PE7JdVvSiWqvlOGoovynE4gnl4QK6RdqiK1gjN:PE7JdlSiWqdQovynE4glQ6GsN

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com
38	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713149391466792"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
1060	msedge.exe
1060	msedge.exe
2500	msedge.exe
2500	msedge.exe
3108	identity_helper.exe
3108	identity_helper.exe
4564	msedge.exe
4564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: 33	2244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2244	AUDIODG.EXE
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe
Token: SeShutdownPrivilege	3448	chrome.exe
Token: SeCreatePagefilePrivilege	3448	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1376	3448	chrome.exe	93
PID 3448 wrote to memory of 1376	3448	chrome.exe	93
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 3916	3448	chrome.exe	94
PID 3448 wrote to memory of 4548	3448	chrome.exe	95
PID 3448 wrote to memory of 4548	3448	chrome.exe	95
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96
PID 3448 wrote to memory of 3264	3448	chrome.exe	96

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\account_convert_icon_136995.ico
1⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6bc8cc40,0x7ffa6bc8cc4c,0x7ffa6bc8cc58
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1804 /prefetch:3
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4652,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4372,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3364,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5504,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3352,i,8887826260172709263,15388006645106947166,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1532

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa7f0346f8,0x7ffa7f034708,0x7ffa7f034718
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,9590327684521944273,493351598640847461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1276

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4ca8b49aec56511219d70d292fce5a7a

SHA1
6e17e36383789c10c6088227f4870f6b80db1197

SHA256
47b4407683b1eddddb7ff4794ff2fdec3e43312e39c6b60fe19664024a85447a

SHA512
9674f8fac276821e88085c8e1ba55a5beb48c3c4edf3ca186e6979a492074b8e871161d731fed60eb508d6e3f02e14a97f821bf7bb65888fec52cfb7f424c0d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
10785a7df36040e81a8b8ce6561955b6

SHA1
5222b2d5d4e9d03dd2b87b73518725a9c06cc1c8

SHA256
de2f65d18a03c1cc31fbbaf13de9eaa9f75a348b7ed5ccca62cf52616ddf44ba

SHA512
831875a4e23ef1b3dff1b6931f14990a273625438aab90af34aecc9f21df30cfbcc1a5e3f87b500e2964be042ada9b90245ebd60c763cb1b62c36ae53bb197ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
b29cec4b74921723949c9a9655d7b7aa

SHA1
d4e7a6b1c4b1837ab21f885b687f25483d545a6d

SHA256
05db26c5ab081bb1bd7741e8683aa9e0cb16d58df1ab09c098fea88ade9f806a

SHA512
305d430c9708fc5e6edbc8e0fbd911cc936e966edd54b8e36a846cc03c2dcd6ce1f2166512e1ee08eaa57ffc95c4a49ccbb34edee5d52c421e815ad90c4fe647

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0dcdfc6c1d520bf15c4f1c3494fce994

SHA1
ea0250cc08c4a01bbd140b9a5718c58cda315b73

SHA256
d0fe56772f83a73b3b3824ef5bdb499a73a4c25a6fec029f31406b1f245cf208

SHA512
1af0bc4d01130a74b8542b41b760a9ef16ffa54b63e81b242b8f28ea68405ef2925ceea065b89bd71c846f3990526cf8f8840952869353851543c59b78904079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8cf6594b8b8296a58e803da28f3f53b1

SHA1
cc2a59e5d5b2f4d7d852dd3dce15a0a23a260ae8

SHA256
b5e0cec550c1e78721d89e95cbdd6ef743e21bb384a9193d74d2d7ef0482167a

SHA512
88c1a22a0929d3de6c37613425d5c134581652c19ddd75894e004d5418f59a3327506be61108d7b7be2e1f1f143548be2e396c5bc4629b95aff08ccaba85bea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
21bdb6a0e862931908a3b3172efb2fcf

SHA1
56d753f4c35420d134dc108157ec53eab6748f99

SHA256
481f1fa08a46aeaf1b2d95add6a386b4f3307163a759918fd9a4304d247aaec9

SHA512
f491c7741ae968a1b11bcf3838c45dafb52398d5d3f1fdb3376f5c1993e3150bcd6efaaa5e5e435fc9a93a59e3edf05d00e864eaa9b94de8d4818d3278a83bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
cac8723df06ccccaea82a586b8c88baa

SHA1
e3da8b826d6d24abff8d049fc6a88ec8f985bc45

SHA256
d294a992a1f8b44bcfc03bb7fe6c0d35c77ecad9e5394315d0a9c0f4853e37bf

SHA512
08829c799d108f99516ecc507be0f5a569aff2279a48e89d7fe0805b2c1319c5043e12fd3b08e76340fbe86dde6e7a8cf8d82c7b378d082247f1f591fd0d2157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1022B

MD5
a04cfae2f9e867b806e7fc3ddb20fa44

SHA1
179eed41d4dc8efbe987def7c985e5fb68eee153

SHA256
d8782a8bd0eb23dbf602c126362b3c593dd565ad6fa04115954f4c9e954bc2bd

SHA512
cbc930ae71e16725cc2dea6e424094fe72901757f23e0ec92fb3896393d6463b42b25ea733296f839778d84a0a24de542a0c6c0d08c4ff2f11fec3818e0c380e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17f6140a4736c948c1b640ed3da89b44

SHA1
1b1d138228c6fc544c9c16849778dca2aba76d80

SHA256
f98e574935804340da918dfac5ae45eea528c1674446a30fe9aa40b0ab1ebd5e

SHA512
d0f0d3c9cf2ae09d82f8113bccea2a90fccc2f20a2ad50afb43707e02f5b1dca949936683e34d28b28315a3c3b581c6ad00451d530c4c0aac3c887be0a1b4226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7a5616ce4333d3aa650a3551f0808aff

SHA1
8d719ecb69ba5ccea051aa8d16964eba4ca59c00

SHA256
1b2f9ee16cf1d013dc36077b84615aecc87fb9ce59f4b893ea67f2ca40a92131

SHA512
2ee98277a20d26352a9b018d702de451bae52266075c4b297c330ab702d5eb88edbc75ae7d49d3cb3a755d3655a988382d874f75e2df02c03f6359eea1a668eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8d9e11d8eef5f9b9aa6fabf966d6c1d

SHA1
f210745dc8a32f8c6344000a79c95e3d4a8e7d22

SHA256
22049721b9a0fff428142dcb80ba7f8cd2a9ae1314a999613d694017de54a289

SHA512
59cd4de9b26281702875058ec354c825f1c4778a2275bc203a439eb1ce0e640be598226cbf41f8ff000cbdde662c92dd1ccf0b397c92f885479d9ee6f3679c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b11e4697ed7f1fd405e88fc4957b3541

SHA1
b5f6b27dbc63179aaf3d24bdeefa8b601edf5283

SHA256
2a8e82aa87e49edb165a9e15cf7605d608abf3205f66ceab7d2c93fc50ed66b4

SHA512
d28464171e75ea2d6ca6486c003896e060916bd2e265af71f0df781c2a0130c281d17cfbe25e6b19ba28756ec475ccf48c6625959b2f201c67a59ce81145a541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
886fa100388d153896c9f583caab101a

SHA1
977efc0be9cfc42eb0ba382c75b997f96530ca40

SHA256
ed319b7c19ce2cf3c4c443d0fc2b679c1c15b44a09549c53e935deb403e48ed0

SHA512
349b354b858930ae9d4e04645363d31e29219e301f08c9dcb5e45d29a99738810ce816f60c93d6c29c14d1e948d498d760a618a7f8c1c655aabeba859ad78af8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
04decacbae72262ea99d2df161f92b9e

SHA1
265d188f1ce88bfe3f1f2ddb5d20e1f0d3409cf5

SHA256
e9440a5e85376652450ac6f3b9e5a397e3064994cc8801050c24b74c7b33a796

SHA512
31072367ee68ab9ae9f9a0f09c148bba432f51d8be0534fe3854da6ddb168abde7ee83ba819a411f16be34689c5165799257658f047ed586dda5f5c58caec403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
ce2fb79d82d4ccf4b67a2cc0058a314c

SHA1
cb2f119f870a3e13c0e0d5a9c13ad5adc140d25d

SHA256
2d4038614ebe984390721c977698870ae083c6a72d68c63872d6dcb218eb6325

SHA512
abc04ce140ab26750ad1cf8e4578fd1dd0e1af05da5f9610483bab306fbe19354432b77d968904c20882e4af6b41503f029a264373659cce5b440c2b845017b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
a028fb585dc2f30fe816e3d1835b6078

SHA1
874f784db82857d503f0062751d8e09574f30cb8

SHA256
ec5c4882a18ff97b1ebc12d955618857e5cd2bd90e615701b087c9c56e92c82b

SHA512
69ca67d73bcc85d6d3986e346e8accb14ab4efc51632d483638f1de85048cb0666aabc369398fefa671758e5fc937fd247ae42a4dc862e79fc960428d3024c83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
4c00d25d096f915055818a4bcae1bdbb

SHA1
f3a42e86c056fc4b96c26ba30c5ae013d0e325e1

SHA256
558633e25ade2f35e2ada6842e388ee2325c6fd0e687ec6ffc9a8eee24921e0b

SHA512
08fb7b4afc394d9d06a906de590ea4a4f05d449a9c3875a650ab4ad93782fdfbee593d3b0898ff57c801c300a0a6c99c80eeefcf5c7916414239b3f4f27f7f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c21a56a435bc3e66c2438a223ece204a

SHA1
6f5f0531317730dfc347f3eb1be94d0906214d64

SHA256
f206a3821118956e33075e8bfcfd6cd6218bf8c0ee0042ec3300504ebac216b5

SHA512
70bffb0dd56ff2f49013e8c9c1c3d03a717a3ea47d29d787f73282eb079040e585cde13a01141595a9c261aa19fd5c6dfd365ed254bcd08b40ffab2345fe436f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
48156970a3505dd152a72eec31212959

SHA1
657e3eac07fb6ca1417b3aa3790d2a3f3366849f

SHA256
4e4f785dc06c7b03f405d9a42c988c446849ddbb2a9efd7e4911c4b0ecc11880

SHA512
59742f7866f7f9e275918c7f8347adfbd997b0781b2956881ce22aa11151c962ceac5ce55b7270f75ac0e784ca69e729b733ec66ca5e96b5fe9adff88f691804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
71dd58dab0a08d48f16efd865c5923a3

SHA1
be8cf206cf98f822391cb838abc1f2e2361cfc22

SHA256
12a8f645fed9e899cdb30a57864c13e0baa73c38322a9d535037dcd79a659ed2

SHA512
bc4eeb5ef49bed8fe5eda080cab522c2878c6086395bc515b21948a1f0b7b6b6e829432995f9c8102b351e26166684691ecc57c341f3a83789d4b70a4bc1aeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de6fa235a98e1ae94a0b28a9a915a02d

SHA1
6715068a88f5403fa805a098857301931b3703af

SHA256
fcb11ac8768ab4ff047dbc915c2509dc43b115e507cf6b9260d76425d5674060

SHA512
ef2d4cad098af027331c16a3e389df4d3787ec7587c11640b65051ef2d52ca2c18b3bdd708b6163a8a3c7dc39262bf4044e906d944740689b420a20a4da495aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1935a58f5c225517b4467d8ac4f2f886

SHA1
e3f37229066e28dfaad33ea317e06b5023b1c01b

SHA256
f43e38c8db4a91f1bbd1d45f389c1c093fb803bdd52730c1395bf8659f0cb47a

SHA512
e47eb2f32388a55886c18904804710f67032b728d443aaec806470740eea49c922122300af9619bd03c9f24ed6782072a97de7f77be1590424e50b5c543be9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7cf6294f477d72533e1a6dddd47aec91

SHA1
2f1dcffc20973495d53e3125f72b92bc64da2e08

SHA256
eefbf55a25e804a293e80bbf676817276a06dcfac920d4a7fb32d4995ebf3940

SHA512
a488fd745dc4fccac01c33fa3004c366fc283a6c3095324b406b09d69d633fa1bcdef59d5c9bccba2b2fad9c271571f70f2753ca250060be00e36b3927afc142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df5cbc8d6f1b6a1fcdcf90c7b79530fa

SHA1
3502c21e5636f1948701beaff74ea55349dfbc38

SHA256
f7c0e8570327f2f3101bafd8b55281899af6ffc927b523ff209b3ff195a51765

SHA512
7bf8f7e5afbe6dc04cec4ec31299f3501165662252a0329b4f80b7a1e77894b13c123daa5a9d1696bb0cad092f1b03892433249698a76d8d7919916dd0a45c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5931a5.TMP

Filesize
1KB

MD5
e547f0124b3b562b00ed05f5a7b1d305

SHA1
13f692d6cbce3f9d71e08d5e06693d3e7f21770f

SHA256
bf38efa430b7bd428dc62fd1f0324fba51f9fe81453e739f98342d593628df5d

SHA512
59ae12fdaadd739972fda9e452d790e20f04c8dcc4db5d5c91659827ecf279a6ea949e98b23beed4fbeff331ccb97679872658854d05e6d5f576333dd0a5105d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
397ab705eb70b982aab10ef360a7531c

SHA1
84c6c12a1d10e146530e8d5673ec902bd25d8008

SHA256
a938b62e67223a2c3e0f60f54af74de2d786fcfd460745fc52f859bbc4916d99

SHA512
11c50cf5df7628c9ed872d171042d504b2d3f6da6c7070f4d7f25e5d968e2a7154e8200a951c7d05f94ed301d733d05e39ff162a35996772765bffa7b3b1f340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
620556350bfe9dbc4e2c127ed726d075

SHA1
02f465d70187d1a2c9a754346f37bcfcfec77c5f

SHA256
d8dfab970a4818ae5c00ce172e42577a5bf990567d024d6fc1dddff7fdaefdbd

SHA512
a76b3eb642dede1895c72d684039b9c921362306c1e845080b40259ebe30af45317a4268f76e84a0064682701e58bc3293b333d999ae3d124c9dfa066a532396

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\ਗ਼ႎタ⣮၀ᨸੳ✶⸮ો☌ẃ₾♇⨁⤄ᖎ⟧ἓ⁇⭹᧓ㄉ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/1276-751-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1276-762-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2684-939-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads