fc5bca3c384922d0d27ba63e56e22c4463206cbbf90ee50a115e644278837420

max time kernel
91s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 17:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Знімок екрана 2025-01-17 164150.png
Size

89KB
MD5

bc6ca19d49bf9037ac632b050e2c7b36
SHA1

3505656078d7dab8cb4e8a0987113d7d146d9cde
SHA256

fc5bca3c384922d0d27ba63e56e22c4463206cbbf90ee50a115e644278837420
SHA512

9ab597c0d067c7ce438ab8e0d7d554124612b85a4e66640e979677866f9dfde48489c33120e75ec902fc6bc85b3616cbd53bf6e9d03457ebc1f4d20e25cd9f4d
SSDEEP

1536:zgmr9TL/IDgOTLEU3uaMSnu2YsA3DNq3EcUfeEoCTWoOkS00zsRh3XY3/+hAOAf:8mr9TCTxrANot6eEzq7kS0dXY3sAf

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4660	attrib.exe
644	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No Escape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133816968206932553"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
112	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NO-ESCAPE-main.zip:Zone.Identifier	chrome.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1560	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1264	chrome.exe
1264	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe
Token: SeShutdownPrivilege	1264	chrome.exe
Token: SeCreatePagefilePrivilege	1264	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe
1264	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
252	No Escape.exe
5112	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2792	1264	chrome.exe	81
PID 1264 wrote to memory of 2792	1264	chrome.exe	81
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3456	1264	chrome.exe	82
PID 1264 wrote to memory of 3368	1264	chrome.exe	83
PID 1264 wrote to memory of 3368	1264	chrome.exe	83
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84
PID 1264 wrote to memory of 4952	1264	chrome.exe	84

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
644	attrib.exe
4660	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Знімок екрана 2025-01-17 164150.png"
1⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7244cc40,0x7fff7244cc4c,0x7fff7244cc58
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4336,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5072,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:2
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4760,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3336,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4528,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4500,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5152,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5736,i,12832244078363792022,17617817883808667845,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Users\Admin\Downloads\NO-ESCAPE-main\NO-ESCAPE-main\No Escape.exe
"C:\Users\Admin\Downloads\NO-ESCAPE-main\NO-ESCAPE-main\No Escape.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:252
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A85.tmp\A86.tmp\A87.vbs //Nologo
  2⤵
  PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
    3⤵
    PID:1132
  - - C:\Windows\system32\attrib.exe
      attrib +s +h C:\msg.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:644
  - - C:\Windows\system32\attrib.exe
      attrib +s +h C:\launch.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4660
  - - C:\Windows\regedit.exe
      regedit /s hello.reg
      4⤵
      Runs .reg file with regedit
      PID:1560
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
      4⤵
      PID:3996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
      4⤵
      Modifies WinLogon for persistence
      PID:3708
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4716
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
      4⤵
      PID:3536
  - - C:\Windows\system32\reg.exe
      reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:1980
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
      4⤵
      PID:4188
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      Modifies registry key
      PID:112
  - - C:\Windows\system32\net.exe
      net user Admin death
      4⤵
      PID:628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin death
        5⤵
        
        PID:1752
  - - C:\Windows\system32\shutdown.exe
      shutdown /t 0 /r
      4⤵
      PID:360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a16055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\date.txt

Filesize
120B

MD5
255a8e245b6ad378558b90cbe3dbc3d0

SHA1
6eb73f9f2034c113a2a6b1aab9a440a21928cfc2

SHA256
d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9

SHA512
67e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf

Download Submit
C:\Program Files (x86)\hello.bat

Filesize
1KB

MD5
b86fddd2b764f079615be5d4dc3e158d

SHA1
2510479054db1fe52cc2dcd3c7033d91204cb367

SHA256
2b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091

SHA512
915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63

Download Submit
C:\Program Files (x86)\hello.jpg

Filesize
110KB

MD5
057ea45c364eb2994808a47b118556a2

SHA1
1d48c9c15ea5548af1475b5a369a4f7b8db42858

SHA256
6e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836

SHA512
582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760

Download Submit
C:\Program Files (x86)\hello.reg

Filesize
3KB

MD5
81427e9d5d10657b9edffd22e7b405bb

SHA1
f27ab62f77f827dbb32c66a35ac48006c47f4374

SHA256
bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83

SHA512
b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592

Download Submit
C:\Program Files (x86)\launch.exe

Filesize
92KB

MD5
b4acc41d0e55b299ffeec11a8a20cf08

SHA1
bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa

SHA256
34bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42

SHA512
d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794

Download Submit
C:\Program Files (x86)\msg.exe

Filesize
9KB

MD5
331a0667b11e02330357565427dc1175

SHA1
d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2

SHA256
fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431

SHA512
1c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1979942d5485d312cef0cfbb210bc889

SHA1
cfb508b4d2a9e80c2c6ff406906e602d6b8e46fe

SHA256
7e702784f33b8834f1bdf0ac9afbab302d16cfa95deb6973c88d16ede7633445

SHA512
bd8b7e0f9677dfd2b45b9b9a72d82d78f88c82ff8ab0b1a20d7fa7b16efb797700d257e57751f687c8dd28a0a9560557c6bdd2545b9fadf16d3939263468c12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74a23d3653bdaa32a7fbe8eea2de9a1a

SHA1
527569b09e0457e3d4b40acb5846918fae7a9b84

SHA256
28529f80979f4a97a0a4c4b3709c8718e6f0f1d6d7e654bb779c81856fc9d74f

SHA512
004a341ece493e7654e410cc514451ec2506a8e410beeb209154cb5def5ec5ae7b2d968ab0370b5d3e5f0fa148f317f638d76ec73978dffe2d72c1739dbe9be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
246681d005e288d51814336b4828f451

SHA1
4c6fc3b67e79c9abe3a0cf44789b1406ba1c5506

SHA256
eed03b7e2d52b0b897894f047f8a2c2d392438baf6534cf16807bc4400588145

SHA512
6e727915561a80742ddcc4b5904812f6a894c4454230908713767f1e4b2fc3d941cfaae2584b3bab11238d75f6a636269c5808a753e4333d7be096ce2d073135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
109762b7e75e0d67acb3d3a3b1eb5a2e

SHA1
c2d4cdf5401bea19f4b309ef2efcaf9eaa03e525

SHA256
3dcba5d110754f9ad07d603d7d82a87bd32b93120f69791d25498f33949e9546

SHA512
a43acff944b450532c70f12320912b8b0ab7ba6afc625281bed9ea4e638f3aa26e00dfd91b9664625ebfe55218a3f60750592a92986aca14590750b1a3606a24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2fa793e7b22575afaacef0addc4ca6c3

SHA1
2fd7239924eb5e018ec73baa6ea31fab6d246b12

SHA256
53a8134885477de50b1f0371f04660b2f649f8bbd660e3c7afdabaa19bab4a3e

SHA512
53481c561c710e4ff75bb73884d0f0906240abafa1c1516c15c014702c69a5f7f1c444f0a6342c23ab0e8a7a63c78af4ccd4986e775a3ac761554b9fff25fbc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fcd3e618c914cb40624341f94c20c2cd

SHA1
d389e02723b5e8b44d8a26ed3d7b2a9d0927e568

SHA256
2f339e0b5a3f6f17df7b99c9a6ba9a351c7d4aa49e5dc597b4af758d3286fac3

SHA512
f2baee1c0d6df12a163dc3b8ab564d772a35ce1a879b9ed0e1b59e1a8641370e05f1bcd374a6a1cc620491d29f971d2481d1bd223292a12c3f161ab31d2bf29b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5191e3ba1d29869168548033a638516b

SHA1
37dcddca7f1a36ab075a046e253b948cdb07c403

SHA256
f6c8e2176fb3b840aba639d2e36be2f26c7014627a66b526fef329ad4d637d67

SHA512
6c4227b686e1f7120610f177343be085fc50ff2ecdaf432604e20a9042515e56d7beeefc38969f7adfb25d7298a78a923da05cd35c275c7ebc9d6490a4228636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
35e7f67846e2593f693e21a3dcf274a1

SHA1
847fdf5590e3df63c674511802c5e5c6b1beffd8

SHA256
a207923539efedffe5667f0e6178b6a1fe93f25d9777119716f6bdfb2920a998

SHA512
88b2b3dd253e664f8be57a98c3343c3d86ab36150b5256c5b23c875cbfa9c611d3c4bdda424015174a4e8aaf9dbfc9383a4e4289669d9bb2df14cc0139140a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
864675a4d8525190fa237823bd4c7f9e

SHA1
2452745faa6255a80bc41cfc136723ffdbd1ca2c

SHA256
05922e5f7b8dcf0a1b04b64f95fbf04353770b1735dd1288b46aedc899a7fbac

SHA512
b2110ac0713c39b0c30008ce307fee195b412dce411e38905941df678c16cec484f915e695e268a48e9c6accb3239151ba3998683ca303cd4caf741ba7ee7ba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3777a5af5037a06e740f0b68890d1bfa

SHA1
716d2a186ee8d2f4265d888aaa423f691393f25f

SHA256
efa8ee797570655bb5facb6f465e65375450736873f06b1efc90f2f6a696f278

SHA512
f34db6fe02fe8d6bca62de289645593c8531e1d11b8a9b0eeafb9b2de6f3d9620107a4f3f720669fc0745a26bdc27b69437e86cb3e4e9c53f651fe4c8b481ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
51279a53f995277d19b43bdaef2fdc7e

SHA1
4e207104468f24eac6a295c9b7a29eff4825bcd7

SHA256
b3e0421c554cbf79b3ad6825482ef47031d43de4d609fd49f675912c1bf9881b

SHA512
1b3859c95939bbbba85b672e3d22b0734e8a29632c40806844b6de7ff29cd84879edf4d2527c1cd415b0190481a5ff90ac59c534aa8fc599e545354c67254c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b7ab7e751c78113b106870efc4d2cfcd

SHA1
54666adf152690fc80b823d231584f9bfdd9ef82

SHA256
d0408077d42c7642554126da416b2194d63d69bff84cd724745525367448c41e

SHA512
f6845a82a6662c763110126893061be6ed8eb032c1e5cf722a8e675eeabac3e8a2a4a2811917b62f5b1a396922227b14fd1793263b23952f32472dd1e5404008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b46b599a80c126b450eaea880f7df285

SHA1
676ae119416c40fdcd04a8a962ae269ddfd02e1f

SHA256
3c617b0a0848dcf741270241759a43533827c67783fe1b5b6d0bd54fc23999d9

SHA512
02263b2c7e52518045f720c2c473d9dc1486057b070974f7c1fab3943ba49444f36e147325b9f2772c50ef902987bce760367f652fcf2da79789cea207f6c2f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
14b70419d2b0ddcf000748c33d88d5e7

SHA1
664986bbd6c9cd272f3de0c339187dbb89fb95a4

SHA256
a370f9be03b9f43883311d0932b7e80066eb08cea74008690fc5ebe900956a34

SHA512
a63d85692498894cf0fd298eb45c91508b2e67ae9f3e820a99d862bc397f14c4a807f297b6e34fae523d1dbaeebf4813eb61d3eebb3c37727ebd5394b466cc77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
185ec4c6696a64c41d4c1610026b3075

SHA1
e97646ca7fdff158a4e54a6a693171f201808fe1

SHA256
571013bbb5745c4c01ef213eafb3685e5472df11663373949d9c7c71a83310a8

SHA512
aca105b8b38eba590da291b627aa43699c0fe5d479cbbf4fcb6ada97a1941dc800c786cca3dcf69766451f2b29f9a0e407887bf65aa1753f2873a73cfa21f95a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6f3b4bc2d11ff6d6e573848e38c8a8c4

SHA1
3fcc0552188ea3c582d58dead76e51d309cc8b54

SHA256
d8cf905e28e8d87c7c889d69603eaa35b1da41ecd3a20e47a690ec78e0dc0e41

SHA512
055c6e78b4949e19c66249b318500a9bd26435dc1a6c8e5a9db53d4f34a6b92a3d5005435a4c9a1ab1e0e7d9adbc7811c5bb54ea713ac8aff196243ae594112b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
913bde28cfe87a58cad93fef0c48032b

SHA1
382a5600aff533b3399dc5655cb40c53bad0e62a

SHA256
add52c60c992d98cbe66019bb7b7274f4dcd5e48fea0cf3471f244b4294984cb

SHA512
24dad3fb459ef985deeecc1ac964f5fd4f7e1968c739348176036c908673e389085dad7e0eba9d96909ed6237090228ca16e7d59c112c43c7992e250298b4829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eee7770607c48292c91d7ce494d45345

SHA1
06bcd1ae9622a5a13ae7f3b51624b0654ce2b7a2

SHA256
63fdc24a31b4d79a6ccace0fe469fa84d547321b22cd45ef2a0989ef3c7d7ae5

SHA512
7f0ddb4ca4cb7a6b05c8b1a3c32b5b95492d14bec1cfe569779738150e2870c74d46b024561ac5253b3cf7954883d22add0f69bad3207b1190f6fb1a81b325e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b34bcb3a61b0b28daaf692836e635a5f

SHA1
be7f2958c9ee4a982c07ca671acc5ccabbb922fb

SHA256
97a2d725524a52fbed0a8aabfcde28463ba6540e73f26072baecc816fb5d6543

SHA512
2033e9801b67cc7f11d88ed5c348eabd22724620dcf16ae0bf868e51932baa8a00be2b83740338b66fe82cabca97a50a3a17279eccd7894b240418b29b41f1ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f660a273b8bbda12702973e3b2ced771

SHA1
32030e5c0f4001aa3727062d3611d352251286e4

SHA256
debfffa772b81c575826271b6334dbfda543f1e370fea65fa57065755f5e9edb

SHA512
02f16c1825f60e2af7fb36684b6509fe4d731b97e4d5bdeecfa5ba4c405c6ad21fa4e238aaca5b4cf14d0d24b875e369d508e0eb844fa2867ebd28e0f43a3c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b9a58a2b4f10b4e8d7cc37d69521f484

SHA1
66c88f221fbef21c82ecc5a74f19ee5c2ca90ecb

SHA256
b7a4f5fbf13705ab5fc8a1255bfef5e704a733ccfc66867fc53addbea57d78f9

SHA512
607220239e8bb1897a3a1fd1829d1d1562ad602755e30f9ddfdc963706ee7494305e0fce70d7fc7b9527a32620488fad1d22d63ed1bae19687001c3af6e46ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
8a6470772cb0191f1879a7290927b230

SHA1
5871ea34e9dfd652e2d2e14b2f2e13969c6b5bf0

SHA256
8aeb7488d8dfafb39a7f63c72fd894b319d1a7e06b920f048154ff7dce49d7c8

SHA512
f7ab030327027124988a6a7f5a905f3ef62bceaa926f88ef579efba0b10e0f2344e03fdeb81b6c2c8aa4b07fdab61ed45fb84bcfcb6261bb22137bb114f01c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A85.tmp\A86.tmp\A87.vbs

Filesize
588B

MD5
67706bca9ceaba11530e05d351487003

SHA1
3a5ed77f81b14093a5f18c4d46895bc7ea770fee

SHA256
190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

SHA512
902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1264_1692447757\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1264_1692447757\dc1a2686-2a0a-49b5-b815-ab9ae9fb4d97.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\NO-ESCAPE-main.zip.crdownload

Filesize
732KB

MD5
9172731ba3f16b578bcb14000ccbccd4

SHA1
e7ab716661ed88ecf060dc5d53720877b141eac9

SHA256
ce0a32e35b7c79e7e2ffe7bd3c7566a6fb843341268ad50f4a594e56e17a5110

SHA512
3a35995b6dadf408ca69699220120bba5f70fb3c2a850165ab11dad03821c8ce316bf7e9662f8976e0bf659cdb9adf0c8d0d7beca22b59480e4830dc5e02666c

Download Submit
C:\Users\Admin\Downloads\NO-ESCAPE-main.zip:Zone.Identifier

Filesize
157B

MD5
5a0342fc5cb8b638ec6ac9968492ac45

SHA1
14de4b27eb087d1622dc3d384442f01eb156b56c

SHA256
92392eed085b7fca1e17d67e01debb78493dddc8d0f7475baa958b6961bf1279

SHA512
4880c31267deba7880b18bd968bfa0337697416fdd66d7dc8b115b7ae1f4fdf47a20098e07133682c24a9b47896d96dfcc2250d979696102a3106104ea590dfc

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads