5f69bc66b594f45abd8c36f4b32ccd4c27b5e3d909927c61e4d0bb29553d8e92

Resubmissions

04/10/2024, 12:49

241004-p2q5favdjk 10

04/10/2024, 12:45

241004-py4w5ayflh 8

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fox X vynla.exe
Size

195KB
MD5

e07a79dfb6409358299b6952600f2552
SHA1

b73413c974ac6a74b04954fced09648a2b4da5a3
SHA256

5f69bc66b594f45abd8c36f4b32ccd4c27b5e3d909927c61e4d0bb29553d8e92
SHA512

682dd7416d9f97c2f7241473b2c70cd32cb708d4a738d76737c185d6d0d3a7ee459a874845d12782a88eb1fe1c1d90a2304c675006920918389dfa7777b7be2b
SSDEEP

768:oFmbYc2FNAQBA9WFydBmu0zbbj0mxds+sY3X/J+k6tB:oFmyNAQBCyLj0m5F4lt

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	fox X vynla.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
632	powercfg.exe
1524	powercfg.exe
224	powercfg.exe
4168	powercfg.exe
4068	powercfg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1532	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725198140353974"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	chrome.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1248	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	632	powercfg.exe
Token: SeCreatePagefilePrivilege	632	powercfg.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeCreatePagefilePrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeShutdownPrivilege	4168	powercfg.exe
Token: SeCreatePagefilePrivilege	4168	powercfg.exe
Token: SeShutdownPrivilege	4068	powercfg.exe
Token: SeCreatePagefilePrivilege	4068	powercfg.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe
Token: SeShutdownPrivilege	4772	chrome.exe
Token: SeCreatePagefilePrivilege	4772	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1468	1456	fox X vynla.exe	83
PID 1456 wrote to memory of 1468	1456	fox X vynla.exe	83
PID 1468 wrote to memory of 3608	1468	cmd.exe	85
PID 1468 wrote to memory of 3608	1468	cmd.exe	85
PID 3608 wrote to memory of 1532	3608	cmd.exe	87
PID 3608 wrote to memory of 1532	3608	cmd.exe	87
PID 3608 wrote to memory of 4604	3608	cmd.exe	88
PID 3608 wrote to memory of 4604	3608	cmd.exe	88
PID 3608 wrote to memory of 1248	3608	cmd.exe	91
PID 3608 wrote to memory of 1248	3608	cmd.exe	91
PID 3608 wrote to memory of 632	3608	cmd.exe	92
PID 3608 wrote to memory of 632	3608	cmd.exe	92
PID 3608 wrote to memory of 1524	3608	cmd.exe	93
PID 3608 wrote to memory of 1524	3608	cmd.exe	93
PID 3608 wrote to memory of 224	3608	cmd.exe	94
PID 3608 wrote to memory of 224	3608	cmd.exe	94
PID 3608 wrote to memory of 4168	3608	cmd.exe	95
PID 3608 wrote to memory of 4168	3608	cmd.exe	95
PID 3608 wrote to memory of 4068	3608	cmd.exe	96
PID 3608 wrote to memory of 4068	3608	cmd.exe	96
PID 4772 wrote to memory of 1276	4772	chrome.exe	104
PID 4772 wrote to memory of 1276	4772	chrome.exe	104
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 4756	4772	chrome.exe	105
PID 4772 wrote to memory of 856	4772	chrome.exe	106
PID 4772 wrote to memory of 856	4772	chrome.exe	106
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107
PID 4772 wrote to memory of 3664	4772	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\fox X vynla.exe
"C:\Users\Admin\AppData\Local\Temp\fox X vynla.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lbDG7KDv.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\lbDG7KDv.bat" max
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1532
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\services\Dhcp" /v "Start" /t REG_DWORD /d "2" /f
      4⤵
      PID:4604
  - - C:\Windows\regedit.exe
      regedit /s "7ZIP.reg"
      4⤵
      Runs .reg file with regedit
      PID:1248
  - - C:\Windows\system32\powercfg.exe
      powercfg -import "C:\Windows\APIs\Cat10IdleOn.pow" 69420228-6969-6969-6969-694202281337
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Windows\system32\powercfg.exe
      powercfg -import "C:\Windows\APIs\Cat10IdleOff.pow" 70420228-6969-6969-6969-694202281337
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\system32\powercfg.exe
      powercfg -setactive 69420228-6969-6969-6969-694202281337
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\system32\powercfg.exe
      powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Windows\system32\powercfg.exe
      powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8b4b8cc40,0x7ff8b4b8cc4c,0x7ff8b4b8cc58
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1436,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3660,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4888,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5316,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3548,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4596,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3384,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5328,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3132,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3168,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5172,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3360,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,1977361432487447635,13063423516473761391,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:2340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3604

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ad8235e2175aa9a87f5285d528b1370f

SHA1
d9e83bc0f44aa7148bba86578b78d1e319aea102

SHA256
b8078262b284d5acc1e6d4e35f6df455f9e91dd541524389d47acb520b768582

SHA512
0904d6789e2fb02e5f58f9fe1ee7fafdfabd0934478b5e33d08323d71f1c5cc709ab9838ea72174f1aabd9a2c181aaa069f2d7e57de6bc534f932baa6d792f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
226KB

MD5
82fd8caa33489c40ba1e8ec4470906f6

SHA1
61ca4ea64f919c63bc6deddfa88027217ea5b1b8

SHA256
e94313fbb08d9788b217650f2d5cdfbb7b828c003083059d2fe340c51d9953c6

SHA512
5972ed344ace05b2114fdcd6ef560bb5c6b49b4277356c1e328e9aaa5e8c34bc37c8a6b262f01bd40dfc28a4de133b3834a1cbad7db4119c87412f2805c117b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b3514a2e1045aa2d9b78dec3d45c634e

SHA1
77a4a2d3b0a17b7891cf006d4329848d4be8bafe

SHA256
c9b1e070bac908107e80e4031bed35ebd9f429cbe2ef5d3ae56649ecd7d25286

SHA512
9231feb4773286a8cf7872182cdab88ea54ed30aa53b51f7a7590d3cdcba038363dfb93dbe5f0005cd5dae0f9e6bc929accb534fbd264820a114ab15784dd08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
417b50d2b651344c93de3100e7cdf681

SHA1
15b0f190b249ebc016a609ebf45ab3c0aac136d8

SHA256
9e372b14d88fa329fb3aed0c8cda0bf385ec27e5cb4678e196256a86305dd6b8

SHA512
8224baac3f3448eb74f97c4d773ae55f06c29352dca771f5d4f48d82829716a49207242e4678970c97e2d3c154a9a5406b6905fdfa2271795bd4f87a3e8ea50f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8f2f6b4fef9eefc9f7c3410783e950b6

SHA1
f362d8b2a0120e731cdb650d5aa3b04991413975

SHA256
11e7cd2d0dec77e15e8e7c987fa90faa3e43a5109c602f40040f1ef9bb1d141b

SHA512
62eb0c732686e8eee60ac85e5fac4f45a61fc236974bb831a7ff3bc79405712cdd8e2b07f3212b4e7f319b56ea78a3ae811a56701a16fe812fe78b2bef46daf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
e34dd1bc16024382b02130580414ee22

SHA1
a08f54ae5ecd36a26a2daa3f615757be87d8a455

SHA256
3a6d0df4396f5f9b53df221feaa43f32716a270e341e48a1d4bad8888cd1dd5a

SHA512
ccbe8bd7c5ecfd80c2d8b6e32c205ecacd18dd72c812a5a0efadf2f1d509c2ef30a5042dbeba641bb92b72928e9ddfdf99d2fd9b680b4108e0db044cde8202a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
286549a47ca1c6f041136f346986d8ea

SHA1
38aa246d203f8022f412a1134fac96c4a4b390d5

SHA256
d4b6d2fbd67a5f746d85c452965942b55f40afd8b572640461d135cb38f2cb05

SHA512
58db660a8517ad2ab66ba1d74a0bf2e5cfc4336d0bb04a4812af0d6d17f93410171042dc6f5978a880e1c76ebf696d3ef7fd794a6e168fe6788b093f8574105c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
587a08a545076e742fa8325fc79d504c

SHA1
cb364ad6c357b647da887c93cf18c65b6181f96c

SHA256
3dbb5644cf823e4e2d0d0bf7c250ee5052d2628a247410786997bfb371865a45

SHA512
be983fb6456756c1d94681a58edeb2b7c6de00314643ba02bd9ad68dd897cf5bac9a4ddd740aad9fe13e839040e55078f191e5ca0b35d3ed8469f98b1d3f59df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d9e0d5a1f44774fe3cf6022f3389768c

SHA1
0a2e8e565ad515fd81c7e6ed6b422168bd9d74c5

SHA256
a613cd61f7325ff4ac6fc38febbe384a9c9ebe2fe63b800c651de1f987a48a79

SHA512
086f7819d872ae6b91b83f5cefb4add31e9372bc7a0dce09d6299f382e0a83c36b3eb86fa29267cf7b6b48decebfec2f6705896ff03fe6fde8c04ca763db6d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
53aa8b8621291ecf70f8de76d6c98a8a

SHA1
890a80088200c2506fb1db6386669bfbe20fbfa4

SHA256
56d4a7fd8ef2229e34b98f50e1864e0381967345411e3341abe4aee5907178af

SHA512
0d3f5b067444df94e7db3ef21bfae163bb7b227bc62e4d985297ad0c2d70a085216d59f81b7e3bbd618fc39a1784c3afe03415b60f5b19777e7f61b9b6f95473

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77c5ba2ae94fa29967fe8c17fcbad98c

SHA1
1007a62096a88f04ec6ed7d1d68c979cfce1950f

SHA256
176ccc382ed2f66286659e14992e9c4e3955acf95f4d2729535b1e307984c83e

SHA512
6d341080494316f47ea83c876c8703854d2cfcef841cf19920093e6f332b2bb87ec58ecc33ff7061ccf315f44d673c50aea7d2788739d824cb12537863779827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
c3853c9d412aa08bef8b7a21fbb981e0

SHA1
781a50629f43655bd44d730a2b8da9adfdbe3879

SHA256
c98b8f85dc3ae831ce80bfd591696772589d99b7796829606705d9a471b9224e

SHA512
a49c650ab5b6eb9a8dbceaafac7e2c09019f65ee9969898676289441c8933851903c7366d58ab1905b64965cb7450809511d2edb8cd3d0a710f07fb1a6763297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c20353b64c1e1a6d4ce68eb0802db07b

SHA1
a00519f0acadbe8333f17387c296628ddfd0dbca

SHA256
5bc6b6aca22272814c796d8dbdeb8f6256ad2d08f428e667f8fa73d85c0dfabb

SHA512
e35a7214f3ab66b470b6cde6823882c54efd36e687c3171b737ed9408bbd3ce9389fd0b3e0f7d44fff32a59664c50294fcd319dde156d4304cbd82ba334568c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0cfca95b497ca592578d59a871af117

SHA1
2ed27f7543a126fdf47c8f6518d8c5b3664778c1

SHA256
cdd3afd06b7aac446507b1f3f7a21f07908fe95e4f154e2fbe872c3cf0f82b59

SHA512
b56ef58d6a29dfc48bcf66d7500393eabe500a7a5ed1c9df13dd89f730a02dd4850c10bbfaae395f9e85621219a7c8b9d7fb89cbd2840d37fdd114b6b49e55f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1edf4dfa4cfd82da8d8cf28d60e6305f

SHA1
d7120f15432d58a0eb0cc81579fbef0f7076ef23

SHA256
def4a05bc587a4b94bf191b7fe72c8c678641ccfb653341c38afa8ec561c6025

SHA512
0b5e94d146579f4cc21426df1467b94545cef84b10eae730e2003b27f063134f14871aad3c2d6e2d0f9c46e87d7e87dfdfeb7017420d5a9518451a97d5cafa7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
67ce4586f9f89d7eabd0480eeb35461e

SHA1
d9c27fd9cc2595cdd9dd7fc912f1f6ba393249f2

SHA256
b29e07c19a81f65c5d22be513a6ad280a1d997c7f8336953b9c694213e9afe45

SHA512
414de118f482ae4e8279584eccaa1728eb1d022a29ed9754d8513308b23eab85d68b64fdc00737b7004aab932f88f75aff8cb5b4551986a79cbf9580173eabb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3bb71af4d3248f0849a50a2e97c801b2

SHA1
72f3b751f490bf5a210358d1c6e46ae43d0ba25a

SHA256
c7c904585ccae0b7670ade7d12b10838fab57eab13defb485305efa2f7ee5e8d

SHA512
0122cbf03d4584e983750e45446bc169b90f963c470a099a0f8ad13db395e973ea895d310a21511d342df71341f37f13de91090ab90edbd4af9fff670ad7b1fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1aa2f54139ed2b90a007e58bb2628fa

SHA1
f1eb14bdf26ebb399a60976971127eaa139aceef

SHA256
6f0520f1525588ee7fb5105273849e8f4f9cb94238b7f01d4995a47e4e3396b4

SHA512
416fa4da6505520cea7019a3270b9f7aadcf793040121d58f2bfed7afc761af8b01b72ee087d69590c82312b43896ad7cf596cbaae07670b2bbde6598b8111bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ee2821c8ebd2801394a1d53a8e370250

SHA1
d7b71034c66464888a60fba73d9dad3cfb9cc7f9

SHA256
f0ac9dfb0c8f7c855413611838d46d4b6b9d6aac39b592b6839a758f85ad8904

SHA512
d16a48998e8bc085db7392439015432970a4515517cf332535b801432d04c597e024757a246fccbbd332229fb9a86396609fb3c5be21aaff08ac7324ca96e8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41e6c3bc03cb2a0fe0d33f95aa9f5530

SHA1
7a7d315ac02c221d8a63c7cd2b1888403015fe0e

SHA256
a1999116b1f93da42ac91fdd56ea93b0a721cd3d42f21bd441f4d88894e18e4c

SHA512
b092ce5018d4e5a225891079e53608481ef538f51635cde0e4c16bf4fd1d24d3cab0fd0e6be8728ad6aea07bf29b14223f2aef671c3ff90187d056444944e528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0570c977beb5b24cf6560f096d6c4a10

SHA1
ec4ddd2b376c48ad10549468c3d5a4a2c901c871

SHA256
6ba59c897b32c59f82e453de79505010e0b7dd87b49a283573e666320d85823d

SHA512
8bb388034e92957fe7fa95dd104cbfacf0e11b72f37d415b03a6350c1897ceb3dcfffac7ef209b7fcf8292d2900fbc1c7ffd3e9bd55d258f5b7be4dbe8f400e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe584d50.TMP

Filesize
140B

MD5
98a4ecec065bfabbeabbe96b208a5871

SHA1
20ff245ef0e7e828c1a7c1df773385cf91d82fef

SHA256
335929c8150b850f47ef2a4b25885a33d91ee41999b56d0cb92ddb40c0d8b4f4

SHA512
d8658ea3d24449fa49ca8fd1b965e6cc41110be715f3eea38972cabc311b21440f7ae50691f181fa772a41016d538f0adcedccc483b19eabe8b240f8b61be2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
e715e186462a2d806a593f7033608c16

SHA1
f6e6dfc9adf36dd40db085f7817303f5e38035c1

SHA256
5f2db54a2dca431c0d94c4f40a3de10833851d0a3d0cc2b5dafacb2ada726de1

SHA512
43a7c513e690709b4df6548af610f6bfb4f3749829805c78e6967dd9528f6813152ebcf159e99a43cdc07c0ae449d52934a8e97127c5b765885f521a03a48974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
a928d22d1a6846034e51d79d540dfa48

SHA1
fdac16d86947e7c16e9959d5578310244c1ebc6c

SHA256
b066b85fd85c05e24d6f714bedc6e366b0f7b871a4ea68ab5d60f72a4aa56bff

SHA512
06cdc8230ee20af03f843f371fc8e9b579f30331bc27bb1e62de451261c823066f4f3def0c8dbc6d34742a48b60254133f6144c390eee5824c919cca94e02eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
bdd9b476090a65e12b37606f01b26bd3

SHA1
1db6b57e843227cc210b9f0ffe62c77d6901699d

SHA256
62d9340d7043aa666a76aa0de0166dc24068f2cde476a84596f3ee7e17c6af8c

SHA512
843087ea79e7543384dc6eb6ac1efdbf2bdcc78f9037b99db3b718ed9590ae01ba93a28e34f680238b4c90a69753504f520c5d6a6dc5ae4a4d8babb3447ad283

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbDG7KDv.bat

Filesize
49KB

MD5
12d029a7e23cf93caf2861388cdc621f

SHA1
e6ed2fca26736853e6259cd204acfc0258d8504d

SHA256
14d7c600241a47f887312eeefd191744372d082dcb7d2925a36bad24f4e3723d

SHA512
cd111ec1a28976110e82524d4e06c67171b926e1b52c325bed3c9685b772a36ac7844e5d627a612e8a7f51b6ab973ca6426d347fd9ef4b4da987bbb0100cf1fe

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\ྃὣ⬒ᜣؠ⯘ṻῶ⛝❓ᗜ◫ⅳ⃙⨑ᗧ⧔୯ᑶ⌬֡⩹

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/1000-598-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1000-775-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1456-0-0x0000000000F70000-0x0000000000FA6000-memory.dmp

Filesize
216KB

Download
memory/1456-1-0x00007FF8B41C3000-0x00007FF8B41C5000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads