1c1e61fa3ca755e7f1616263bcf948ce2a22ae9d01dac95d4093f59ec5e42ce3

Resubmissions

28/03/2025, 19:50

250328-ykn37azzgv 10

28/03/2025, 19:45

250328-ygeeksslv2 10

28/03/2025, 19:28

250328-x6yn3szybz 10

28/03/2025, 19:13

250328-xxc11szxbt 8

Analysis

max time kernel
393s
max time network
687s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PassatHook.exe
Size

14.7MB
MD5

eafb67ed7734f5561c709b64e6e36b8f
SHA1

d7d5859993759ef0079a92506a9eed6a11fbdf48
SHA256

1c1e61fa3ca755e7f1616263bcf948ce2a22ae9d01dac95d4093f59ec5e42ce3
SHA512

f152eab4c9b4d80ccfb9d9aea316838ea2f10376d681b1371dee02484fa68e8949a05c5fd6536f21939f036bd70cc179e364099d59f3aa3645bb8534b8f2c692
SSDEEP

393216:l++AaWnPOESRAc5OKC4JLXH9ip87knYOwPecB:HtQtgk4JrYp8gYOUf

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
74	2608	chrome.exe
74	2608	chrome.exe

Executes dropped EXE 3 IoCs

pid	Process
1864	vc_redist.x86.exe
1352	vc_redist.x86.exe
1164	NoEscape.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	vc_redist.x86.exe
1352	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
74	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2756	2740	chrome.exe	34
PID 2740 wrote to memory of 2756	2740	chrome.exe	34
PID 2740 wrote to memory of 2756	2740	chrome.exe	34
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2552	2740	chrome.exe	36
PID 2740 wrote to memory of 2608	2740	chrome.exe	37
PID 2740 wrote to memory of 2608	2740	chrome.exe	37
PID 2740 wrote to memory of 2608	2740	chrome.exe	37
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38
PID 2740 wrote to memory of 2848	2740	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PassatHook.exe
"C:\Users\Admin\AppData\Local\Temp\PassatHook.exe"
1⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d79758,0x7fef6d79768,0x7fef6d79778
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:2
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2124 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:2
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1324 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3368 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3824 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3744 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4080 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4104 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4212 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4116 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2148 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2244 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4212 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4108 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Users\Admin\Downloads\vc_redist.x86.exe
  "C:\Users\Admin\Downloads\vc_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1864
- - C:\Users\Admin\Downloads\vc_redist.x86.exe
    "C:\Users\Admin\Downloads\vc_redist.x86.exe" -burn.unelevated BurnPipe.{E1E981D2-ADB7-4163-AB70-624CAA88BEB5} {EA70F367-BFEC-40C1-A581-6D13ED7C93D6} 1864
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1284,i,10401323406289098159,7028833741893043918,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Users\Admin\Downloads\NoEscape.exe
  "C:\Users\Admin\Downloads\NoEscape.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4fd217dd-7be2-4a55-9b91-a0126a542739.tmp

Filesize
6KB

MD5
0a240ac53b120cc0052ed294e11b2e0f

SHA1
5fb169b513325c613c488dd996498a6a6f740f4f

SHA256
c09ae2723c06962d33e9b9c017a97ab3084880449b1105d5d90c2ba5b76e7317

SHA512
47f7ceeb44353790d641c790d18f6541198a676777befdceef430e560afb064e1539f13fd8a95cf5a66bc6db7069494cb85b8929ba68e86ae4426b8ba5652f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c1cc965f884401652cf5ae7d51c60411

SHA1
12a4a8718f6ef4183a37b6f0f5d1e4e94ae54f1e

SHA256
f50fede70072444bc1f8b99e9f342d1b9336b7556adff876d64ea1b051244214

SHA512
4adf4fb81281695d93cbeb2e53d7852a3f907b08ca5b9ad36b4f2ed3d15a106d2cb6f87b77c71a1496fc53466880296130e200fecf9eba8536be7ab71d3c5894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1a454f3d347bbd6ec08bf38310c2a7a5

SHA1
8fbd32f2cf83c1d13fc4734aab3110bd184bd7d8

SHA256
01db516a85f063fe36d6d7ffad61b44260190a6ee2f293514669e847a04621e2

SHA512
69a987cbf4a2754e2a7c797fa4889236b1c105bc224576daf5914787761c7e2780de1653c8f2a2bffe6cdea40b507d4c56edc9ed3ef5ff8c116670d722d35032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
144c035d86cc485ec8be000405dc10d9

SHA1
accf962c646bd9c3d893c17d7f06c389accc429f

SHA256
00ed7a2314073b6c41f5f5495a0985d50d171d595bbeaa0617a9cbcd8c9298c8

SHA512
f1d4e4106170cc96d7009beaad84989a9e5246807d69ef457c71545029b01e16730511d0d3ba7c4b8714495d1fb9539533cf26ebaf4c7fc8978e289fe2bfe5e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
2bfb3c4598d26aa2db5eca5b46b03b9a

SHA1
d9fe05836777d2e9ef8062357d6a4eedce2298f5

SHA256
7c1dd20761143ac5ab8ef5c869d636d6759d64248d9ce9116c46e1db59a787ac

SHA512
f19f042a9ea6e3c572bea596332ba607195129ebdeb2f8a3e8a156c729880cf1f11a6a5ee1b73bf83383f7209f6b855667f94cbd2f2d63b065802ce104aa8758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
24a9ed0b3e38e56bd9fe3737b41e95a5

SHA1
ad358baff8dfff586e5a6ed315b38ec611b1f582

SHA256
a0467154f4d756da9884734247b83302d66151bdba187315fa4d1807af4624a4

SHA512
3904652ad5285b34b895731a3b70c139ff9e8dd9f3b88e02b0137294e80e83b73bf842758e1977d785ebcf5e05d2fc46e09d0e9f262bdacea470939180a925c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d249e60c56df0c2abc2c8446161651f

SHA1
f9884bdea4ccf5ab75da6f6b9223ab80a6f2e1b8

SHA256
ec71fe7046aea1492add5985b781119df1ab87a409171c957702d953d0c5061c

SHA512
e15257c3e1a4e0cec996f7a6a2b4dc57e2cac48a4be07b6c00a34b9bcde40dfb9180385146c7fbb71aa9e8e92f00d15c8d8cb1c43dd0e60de68e3e144cfad478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
86d7cc8cf8d125fbbffc0efbc91eebc6

SHA1
195ea7321a18559d188b5d75339900c86cfbf010

SHA256
a47cb45e7a2def7346bc02d518075f8468227a9727defd85702c0503f7e2546b

SHA512
883d5b29b91c5108169599d5d60ae819272035732d839fe9565fd89b394a6b7ae03cced1b9aed77d14c45ce87484fee9357982e93c3d6e4c4fae65e5392e03fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
388db83b8fed5242b0a7369cd2777ffb

SHA1
534cec13e4f3012de02fb6bf60de196a5a09d47b

SHA256
c28103eebd7236a4be08dac13ad52769c0d7a3d871a1cd8a5485c1522659ae35

SHA512
2927375d0db5acb69dac4f0748daa38d4d5bd308b0ab89d4dea92192e012b637ccad9259ee765ddccc7574faf4419372a0fac9f8f8c69b2c15b9cbf1ee9b77ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1f7003ac8a479f4385ad0e57ec834939

SHA1
c645ade600ad49442d99614adcf34ada60e9ba15

SHA256
5752ee393f8e7953af88b6d44aae2ee63a4b453cb85d67460a5f0ee057321d44

SHA512
4a1b6c0a883729ddd119013e4d6d03cbc0bc333fe69a5ded2c044534b4d794a3ad2ce7d0ca21980a6bde5acf4b23bdd3d93c6f80a758e4133dea7e7d2ac997af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
83b5e2d6673f246b76dc54e4d001e194

SHA1
3b15ac2a4230c4224f21848419da8a7b736fd3ed

SHA256
75426d30b934e472a42e3a230cf9536b9ce17d90a09a57db033e5a994fde569f

SHA512
89f979aa215cf440ed7ca56d10aba0cb6b5dab2d6a66ef029cffee8730a4c940f517d2ea7382dcd0b084a91c036b0077940b732c4993fe8e6245f107efa1a5c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
81KB

MD5
f1bec21aa8ef42a01e6f78fcf0fae46b

SHA1
d55c3b6c9e2973a7af442b6eb5474844a51d7e7e

SHA256
cdf2f77818c486062ebdfffc0aabca0a40615bc2cd5d74755de12a2531f3e4a3

SHA512
8374fc9d3774db8009af965984d476a33e8076379697349290bf39280ccd2890e1de7f96c009376e2b6aa95e37e92614221fa751f9de02cac7de2217975a0a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar770B.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 580097.crdownload

Filesize
13.1MB

MD5
1a15e6606bac9647e7ad3caa543377cf

SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1

SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/1164-561-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1164-577-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download