ec3a258141b27d3cdb83949cbe03637b5da953406d4a2261a6c8b7640d8371a0

Analysis

max time kernel
66s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pluto mapper (old).exe
Size

3.5MB
MD5

7294182f058ab0f2b33f9c3eedea3384
SHA1

9c40e090ab7194fe532ae59242eec445f6611367
SHA256

ec3a258141b27d3cdb83949cbe03637b5da953406d4a2261a6c8b7640d8371a0
SHA512

f269698dfb08e738a54312cfacbeb318e0014647b66d6034c86baed134d15452f47f7bd687db03c02a35f0182c0a4965bbac1524d7d49228ade59df7f55b0f57
SSDEEP

98304:U/r4by8mP5/92kxAINXHY/7jDNOTGh8meDGICOOv7krApL:orZP58kOIH2OS1YGICr7BL

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pluto mapper (old).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pluto mapper (old).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pluto mapper (old).exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1940-0-0x0000000140000000-0x0000000140981000-memory.dmp	themida
behavioral1/memory/1940-3-0x0000000140000000-0x0000000140981000-memory.dmp	themida
behavioral1/memory/1940-2-0x0000000140000000-0x0000000140981000-memory.dmp	themida
behavioral1/memory/1940-4-0x0000000140000000-0x0000000140981000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pluto mapper (old).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1940	pluto mapper (old).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	vlc.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
3060	vlc.exe
3060	vlc.exe
3060	vlc.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1220	2784	chrome.exe	37
PID 2784 wrote to memory of 1220	2784	chrome.exe	37
PID 2784 wrote to memory of 1220	2784	chrome.exe	37
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 2804	2784	chrome.exe	39
PID 2784 wrote to memory of 1224	2784	chrome.exe	40
PID 2784 wrote to memory of 1224	2784	chrome.exe	40
PID 2784 wrote to memory of 1224	2784	chrome.exe	40
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41
PID 2784 wrote to memory of 2888	2784	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\pluto mapper (old).exe
"C:\Users\Admin\AppData\Local\Temp\pluto mapper (old).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1940

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2792

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WaitUnlock.3g2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:2
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2884 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4148 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2476 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3708 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3684 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4192 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3812 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2728 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3484 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3504 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3592 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1912 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2036 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4556 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4560 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4428 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1084,i,18262312196906649817,2750157643758628624,131072 /prefetch:8
  2⤵
  PID:2404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2400

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1672

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"
1⤵
PID:2648
- C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe
  "C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{93696CA8-1EB5-4EE1-A5D6-EE617C593E16} {5CFB1401-4511-4B09-A126-A14255316D5A} 2648
  2⤵
  PID:1544

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
PID:2936

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a869dbaeedb4e6f3d1428130226cc9f4

SHA1
6a65902a67ac36a6a3947178ae8aff48655e1259

SHA256
89785afdfef1ce4754b830a790b64b8cda6e40a4152660ecf892c19ebff44652

SHA512
ec44bba55f4388dddcae9c4c54c1140a6cbf481e86a6ed149fc596749ebd1a40489bf260966c437b128cce33f97c9b3badecb71fa9d100028ba1a6a713f83f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\922a135e-8c63-45b8-95de-43526cd09a60.tmp

Filesize
7KB

MD5
e72e97cfa551815e1caee87a180e65a1

SHA1
68fe693599456710142d3735f8e6f67a1b599352

SHA256
8b9f8081071ccdd3ebd2e56ed607a4ebff5ab6515a42d3f950baaf2f2b05b6cf

SHA512
871d51891ec75a02a313326152727f7e38227fb8b751817aae684291f609149a0b4500f7f8b4797ed7a4ab9cc1878564c390166fd78c302b9a4fe35c5d34a4d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
70KB

MD5
e383ef862f4c7f2a0c8914815681208d

SHA1
e280c3d5ac7a4168711d8ffb5943c86fe04b9d04

SHA256
37cd92c2c53e7a916e02f3c90a58ecc8510dd2663b6c8ec44407765802c9a90e

SHA512
e665e11c24e50520da6b83f877fa45fe94ed6eb502c4f9bbbbdc2fe539b54111d0a7c442c5828b1f58d000e3f90f33ab600dc9f120e4eee8748931378b265c48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
4864c7666b7a30911b4ea24f15923a32

SHA1
2d896a97726241b090c16e0fe393879276b55ea3

SHA256
fc69993d912b7cf247c59ac685d2ce12d1c69b4e5c7ce4f56d044b62440fec1e

SHA512
5fc562388b567eef540110481abe01c21494f7003ab981f840c222f82f9fc55bdd5407f8842483cc8744f351f80c217927ea8b13be260fa6100fc362360275da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
8cc5c274b8307d0b0c2dc47a68aec0a8

SHA1
844eeda9e7b4e5b5728fe29ab704af68a5d03d31

SHA256
a03ba80305b516ff5f4045e0299648bd12d3dcb53e1cab19aaa46c9061f42ebc

SHA512
a32d61f7a319cc00e5a1b4ee7ca09331244daa4e29021b8d42491655d9c139c0da4bff1010958768e3dcc732f3d68698de14e3f52c49f8ccb4ff2b46f839a74a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
b39a3914d6e160c6ca61e9f38886ed32

SHA1
7125b3142181fa84fd1f81ea3524b57f193b1334

SHA256
a2f695700d53422f20288681f55719419c60fdcefbdfa6d5216c07e039e65fa7

SHA512
474f4a1e1c50fab6fe574099af2a44f770f65b66c63ca69403c599df976fe85197c99d731360d68fce28201fe2be29d1c4515656ef23dd9c46b5a90b922bdb03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
3c834cddbea9326a22a86f9391f2ec4d

SHA1
2ed2e8af9c6078321782a76ec902dfc5ed4e68f5

SHA256
5521a505dcd84d367bcae753e95f25c4ea9c202cdfcd60084474e9a3e0bde497

SHA512
c3eb335133b54fb7470c133153bcb321f49c1c7fc6f92e1d7c41af8900dea9229ae6d3363317abf9241992b79b32967d78991e1d0e8487e10ffdbbf3b8e11df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c9459d8f7c65b301d6dac65b4631152

SHA1
c90806b7d8019d2c5acf928687d17d740a4c240a

SHA256
f0edf120a1b09db28a4590bddba0d98d63d110027df70af09e73147de4229f51

SHA512
e73afdc913f9362d0be9c6201ed7a4677ae4388e5783ac509a498754bdde9c0a1b2b9426a92b527f402c5318ad84b9613ec3dd6f640482e3d23e97e462ddbc89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7dd4e8350f382b2e6dfb73b1554f989b

SHA1
14efbc1a890e820af9b13827e4e45eabe7c4d209

SHA256
df030e43a416f00fc570518a51cb0c86db64e23203b5764115d142fd91e9f8fc

SHA512
55ef4aa984e8b8bb5686ce4f09d4e7d914d316271f1892c37988fa9d5b7fac417c97f8c3f6664b48529fbac6b4c3499aaf3e9672c60289da50b51bb89894d5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a2aae1d3e7c6da8f58e45799882326e

SHA1
1cf7e85b393a7253573b5744ac3a44daa9441a0c

SHA256
5dc454584e11ebfaeef01a8dd7074f654c23913a2726b27c1c45530ae92ed2d9

SHA512
a44990b0350700f3151840abfe53444a9e51a4bdda0b9b07fa6a9f1d6ddc520701cfd6d86f66d7f8255472a7d9e508f81ddf4809e5dee6dfe55dde8f9a44a618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1fcb0fbb5195a48191197a85d8028524

SHA1
8791e3e5ee38ba6db6b18242cb1836b6e6f86393

SHA256
ef0b8748363519074180e132ea91c50f7a9f9008505736dbf48c0b272615f8b7

SHA512
c4e1cd7a354262f2d0c00e9aa82de5a23000e248726d2bbe23316b5b9ec04a35f7f46f1979f924f2efbdec7c171cfa17cfa55d2326448c0add6d3c8ca8e09f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1205e1a263d76d96378c7e6efda3d84d

SHA1
d00585a92376eee15e8de0afdb097d904a97399c

SHA256
fec3865858a5e13a1f990d67976f5d56f4e63933a70dc8f3450737164b552b20

SHA512
d6700d907ba5468478eb6832169d4c2dcdbe096143b45100b78a928a1c330119facc7f0e8608378adee1599e278cd19a59d0d9cdc36d5d3fa52c9026a994aa08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
5434912d91044ce75e73398312e27bdd

SHA1
0e57fca97ab1249c39521480ef891f1453f91d36

SHA256
5377704ee702367651d183f19a9fdc913f1c0981e8c5cb2f392b8a7d411dbac7

SHA512
411f18cdc887c65341f74d91c5addf75f12ae84812adb1903570c5cd11d51b13daacf96e7107b442d59668b95f78b83a206bd920db18dd1e5f3f463a8192ddc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
8162facb3607508e455209d8de6d21de

SHA1
9afb41f424e34fae95c06d831d4638771aa92464

SHA256
bf2652134a94d9626f39ee5d4e9273be58f747bfbc8af6ee2c7890b26925453c

SHA512
b13739b159adbbae888e7715b640bff918dff782020560e727047f09ba14ace2b982ff3280d3bd1edf392063c50ab1f33298c5de2c74fba4f51b10b4f27cf126

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBAD9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBAFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/448-964-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1940-0-0x0000000140000000-0x0000000140981000-memory.dmp

Filesize
9.5MB

Download
memory/1940-3-0x0000000140000000-0x0000000140981000-memory.dmp

Filesize
9.5MB

Download
memory/1940-1-0x0000000077400000-0x0000000077402000-memory.dmp

Filesize
8KB

Download
memory/1940-2-0x0000000140000000-0x0000000140981000-memory.dmp

Filesize
9.5MB

Download
memory/1940-4-0x0000000140000000-0x0000000140981000-memory.dmp

Filesize
9.5MB

Download
memory/2936-961-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2936-963-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3060-13-0x000007FEF6C20000-0x000007FEF6C54000-memory.dmp

Filesize
208KB

Download
memory/3060-14-0x000007FEF6340000-0x000007FEF65F6000-memory.dmp

Filesize
2.7MB

Download
memory/3060-15-0x000007FEF4F30000-0x000007FEF5FE0000-memory.dmp

Filesize
16.7MB

Download
memory/3060-12-0x000000013F790000-0x000000013F888000-memory.dmp

Filesize
992KB

Download