Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 14:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbkd0MEFsa2VSb3N5bUh3Q3JXNzl1Rk9iaVdrUXxBQ3Jtc0tsdDZwam1yc1MzemYtdGZxdGFEN0xDS2pnVExPTUNOc1FGWHJTbjhPeUxDQURNWTB4WE1Bb1hsZ0pyaEtDZ005Ry00SDU2QV9SbTI2NDlBX3p0NjFHRDFXLUJMME9oQTRwcnJkZlVBNnppcTU5OEFpRQ&q=https%3A%2F%2Fgithub.com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape.zip&v=4oATWyMMH4A
Resource
win10v2004-20230220-en
Errors
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbkd0MEFsa2VSb3N5bUh3Q3JXNzl1Rk9iaVdrUXxBQ3Jtc0tsdDZwam1yc1MzemYtdGZxdGFEN0xDS2pnVExPTUNOc1FGWHJTbjhPeUxDQURNWTB4WE1Bb1hsZ0pyaEtDZ005Ry00SDU2QV9SbTI2NDlBX3p0NjFHRDFXLUJMME9oQTRwcnJkZlVBNnppcTU5OEFpRQ&q=https%3A%2F%2Fgithub.com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape.zip&v=4oATWyMMH4A
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247528378415294" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 4192 chrome.exe 4192 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeRestorePrivilege 1240 7zG.exe Token: 35 1240 7zG.exe Token: SeSecurityPrivilege 1240 7zG.exe Token: SeSecurityPrivilege 1240 7zG.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1240 7zG.exe 3992 7zG.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1716 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 4440 1772 chrome.exe 84 PID 1772 wrote to memory of 4440 1772 chrome.exe 84 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4896 1772 chrome.exe 85 PID 1772 wrote to memory of 4868 1772 chrome.exe 86 PID 1772 wrote to memory of 4868 1772 chrome.exe 86 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87 PID 1772 wrote to memory of 2684 1772 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbkd0MEFsa2VSb3N5bUh3Q3JXNzl1Rk9iaVdrUXxBQ3Jtc0tsdDZwam1yc1MzemYtdGZxdGFEN0xDS2pnVExPTUNOc1FGWHJTbjhPeUxDQURNWTB4WE1Bb1hsZ0pyaEtDZ005Ry00SDU2QV9SbTI2NDlBX3p0NjFHRDFXLUJMME9oQTRwcnJkZlVBNnppcTU5OEFpRQ&q=https%3A%2F%2Fgithub.com%2FEndermanch%2FMalwareDatabase%2Fraw%2Fmaster%2FNoEscape.zip&v=4oATWyMMH4A1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49339758,0x7ffd49339768,0x7ffd493397782⤵PID:4440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:22⤵PID:4896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:12⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:12⤵PID:1804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:2808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:1688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:12⤵PID:728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:82⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4720 --field-trial-handle=1768,i,12767865520640499245,16311909771800100724,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2652
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3880
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3091:78:7zEvent129071⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1240
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8469:78:7zEvent288571⤵
- Suspicious use of FindShellTrayWindow
PID:3992
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:4908
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555cb17a73972e2d3151970487a75517e
SHA14dfd084fa70f300d41cd5aa5283aa48b93eb372b
SHA256fb0709511421192f425b45dbcd8222e602ddf71a059b20a573db12b6c55afaa2
SHA512066584aaeba307301c86352509350385b7d993caabbeef0e0fd91e4637d6886e2b8f3124fb4421ab6a5cf332a87e565f20458c460a729c105e63ae84976184a9
-
Filesize
874B
MD56002d211414fc14951f07e3e02063245
SHA193bb68cf51d184465e8d4bbe74ba21bf9338de0a
SHA2567a13c841ef533fa9d8114ef088262c23a78a92749225efec695cde10b64ee989
SHA51228931324c54fe40969bab94e91d2120b2d10a6106070bc09d1c970c7881900e0294f9d78b3ed812807c39a028b9486e4035c1a77fddfc2757b2485798a7f0488
-
Filesize
6KB
MD55e55c2fc14af8031793f51d587aad20a
SHA14ec9201e668ecf7d8d5fa51f6dafa4fbae9d686b
SHA256021f6ede7b53c7b08a9775f0e2fc109115f4ddd6607b7bfc81f0b827d420b92b
SHA51299903ff905d01d5853cfb9b7c45491bcd5036a0d4fad69b73b8f824c5939fc2451b0b8ee96ecb30eb3aecd261d1c36bfcc1d00b7ca7f4ef8ea81802e7e44192e
-
Filesize
15KB
MD58b9e7af5a987717a36869e03ba5e0f18
SHA1454924f33e848284a585dfd79b1fd07715c51e8e
SHA2565a4334cef220662c18f3bfcf8832d5e91af2f08ed19181b6e9f4cb95c6c74b04
SHA51257ac552c1865509bec7c71bc9b200660161697a0e5abfd3b8481b850de87bc6576542731b57bffb504060bb3f5604e64e16d60d67b64081b257e75c26fab4700
-
Filesize
173KB
MD5c8babea2ea9b953eba7ae8663debca92
SHA1a7b73e4ad7b67cc017a35aefeb4f7c534b4e6924
SHA256ff82ee99d5a4cf0294dddad79a220af356eb0fa3f671258e118c86c7cd24430e
SHA51249d5ea1d63fa5663b82c05064448858b2f298523a548182fc530eb2015798c5af3852a5e69a16161c7107d353689d2586dfb33168da0a12aa39f5dd8f461a5da
-
Filesize
173KB
MD543814c89e816582aeb3a1eb0fe3d6fdd
SHA1feaac9c7a04ab9e248b382e2360342e92e217b6f
SHA2564c31e7c74120a59cccb9d6479aea6f9eb190652e197646e99fa3ab6fd92e2377
SHA51208ba9b94def8e4a8445b82d4d3f33c9a5b8164b1b38d8ed0d00d93f3e7ada26b8c7778695b481e439cb8ad590218bedfd993c6ef6851e4db1b69acb581a88871
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
616KB
MD5ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA19431227836440c78f12bfb2cb3247d59f4d4640b
SHA25647f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA5126f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
Filesize
616KB
MD5ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA19431227836440c78f12bfb2cb3247d59f4d4640b
SHA25647f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA5126f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4