Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 17:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://no-escape-10-ios.soft112.com/modal-download.html
Resource
win10v2004-20230220-en
Errors
General
-
Target
https://no-escape-10-ios.soft112.com/modal-download.html
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a9673384-09bf-486c-b697-fb47554e43cb.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230331193313.pma setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 380 powershell.exe 380 powershell.exe 4500 msedge.exe 4500 msedge.exe 4964 msedge.exe 4964 msedge.exe 4344 identity_helper.exe 4344 identity_helper.exe 5208 msedge.exe 5208 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 powershell.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5036 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 3000 4964 msedge.exe 82 PID 4964 wrote to memory of 3000 4964 msedge.exe 82 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 3908 4964 msedge.exe 85 PID 4964 wrote to memory of 4500 4964 msedge.exe 86 PID 4964 wrote to memory of 4500 4964 msedge.exe 86 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89 PID 4964 wrote to memory of 4920 4964 msedge.exe 89
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://no-escape-10-ios.soft112.com/modal-download.html1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://no-escape-10-ios.soft112.com/modal-download.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xb0,0xfc,0x100,0xe0,0x104,0x7ffb17f046f8,0x7ffb17f04708,0x7ffb17f047182⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4876 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff738aa5460,0x7ff738aa5470,0x7ff738aa54803⤵PID:5000
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:12⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:12⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:1712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4380494982455227711,9332077823314067035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5208
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4464
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe.zip\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:5564
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3945855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
Filesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
Filesize
64KB
MD558442e87246f8c13069e8b637063ffde
SHA195a17723e5dfe214569b0b2523ae6d40716ea54e
SHA2566ceb84d55e5da2e124f76a14aa2b673c21a0007dbafd9f8a701eda2378e80821
SHA512502bfdfb5eae82d37ef0003a3ea13429496cbd8fafaa4d1a2718523330d44a4bb583e0d5061a14ee6718c8e394e679f5442c490233cee1c3937ba6e183d5ad1c
-
Filesize
67KB
MD5a69d5a892093579ba2eb14e030cb887b
SHA11138a13f8c61e87ffa9f611345fbe1c57d836725
SHA2567076781310ea6ad20afb3e8d4089aa877eada0cf19684b44a615d779c1427f65
SHA51285a8327fc6ac3f7eef2a96454e3dd7a284c99fabf8f6d814382714d3ed8ea21f7f7b6d599953fce74989a64a4c9875db844bca0710b333646be1f783edf7d6dd
-
Filesize
38KB
MD5e4c780a544249a7967b82f07268ef432
SHA164b38d103f06b8de4241c62835f67b28a96d286c
SHA2564d2dc675ba41d56f2aa6cc1286f3f127590c9748f7b4e0bf4c79b0b4bd620a9a
SHA51274b9135f09dffd7a081889235d2f4c7a343291a4c4458ac69754cdd5790b455b9b98a128561d516202549e83671de13cc4e4b9cfb3ff195dc3d23b42885edf49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD557820d38d62874e7181566720b280c25
SHA10e4a7640214aac640f532130714479b2c9b391cc
SHA2568e95b134c0a756c915c01d0515728a2fca0d8205e0dc80ef31199f53afc8d8b3
SHA5128d8ddd1c059905e221eb1a618b432c584ec46f6d893bdd1c8a0068798ab388173b42315413144f6b5adffaca1f00c84bfbf85fb5ef42b7b088eb740629116b47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD501c525a4782a5f1ed065dc076f0e4398
SHA14e15c07198c9f834638dfad82d63801b89bf8119
SHA256169f5f3f6ffffb922d67a1108d9608879146d74e5f500fe2630e6683fa4469b4
SHA51214e7e8639478a737e5c87dd3dee22c1eea44bd951a7152ddb8c122b0c10e85471f412c3a20b139977cb394635b089ae6dc79da4e596ef4d9021864675152027d
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
2KB
MD5ffbc8c712b8da1541e6edb8682f6f5c4
SHA1832d56081fdf82dcbbc6a10f6e20714c7c85f86c
SHA256b528948bd508f1a1c6c3baa9c09b8dfdd909a341a61c77e07bb03240347938ca
SHA512ada0cbe3d6954b339135260757323690e31c30d447d460e936f7de78ad125bbfa3d701fd29a2d4635aced0b71cbacc28447e48dab1fe0fd75b0c4983c161d2fb
-
Filesize
2KB
MD5f16782199d9b44daf12fcd9fd52199b2
SHA192f46641ff6d1e6fe4dd1a198eb0628cf9840527
SHA2568904cdf4b93769f6e6bc276033cf2f55523cae822eb166e026bff8166820b159
SHA512afbc1ebdd8c162291d64d02c9a4e0a06a2918c3bdcfb808582a54d841a6a9057f7abebbc23ca8d46073e78c0585dbfeeadde4b3f02c63cdfe03a8fb58a9a7281
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
7KB
MD5bf3c37352e00f2391d10e6ba01198634
SHA1102a08b603e2c30355da6e4d86619aaaf55cf4ce
SHA2562655acfdb03fd170811841dbc2b936e2c23bb3f582f36d161208bd789561ed5b
SHA512f85c3fee0cb74812cdc02009fb840b00ac5cc3c188db1e9548f9c7c0a8aa3fe0280ceee9210a46afca13ca1b5e9661c76db8d1c48ac9dc0116d9290a233d5047
-
Filesize
4KB
MD5746aca5508745df078b598e3c377aae3
SHA11b48a5dd1e5d7d161aab3a1b8acd2fa06b3b36e5
SHA256209d9b1c7f0846029c9d6e4b4be62802af69327d7b6f11f11c604865468d7b52
SHA5127507e30364edb42ba3bb04a59375d8828b5697bd007070a07040d5d64f5bc830f55930a54cd5389d2611251dc747573146cea83d2ad8ab9bf28ea122fbdd7cae
-
Filesize
6KB
MD58c36b8390a29f873028d0980027334b5
SHA161871daf21b38cdd013c4948375230d045cd7f03
SHA2563a340941b75357ac1ef3f315e5bd71bbd51c09387a3f8087f657179c988c8766
SHA51234b7c0dd6a4fb0dd6e3d3370b38171597f53cfd76e0f928ea25671ea69753211333ea85f1202c40de1c8f24fad178b447f9195672e63b8e691f9326f751b2415
-
Filesize
7KB
MD518a8328a2409a5b25991899bcaba9ed0
SHA1eafa5ca8a1125bd12296caa203499fde37dce849
SHA256916c1ded0e4adf25aceaf2a05949c7dbead620e884c852a4a32e32ae204d6ea5
SHA512b75f586734fede54c7e4feaa9e5f4915db22a480bca10a98a40db7ca8671969bc94434368f0755da58d2b177b74ffd4f94b94eac87bdbbe73709e3e2836a0aee
-
Filesize
6KB
MD57f70e8fb360f6a361b3bdf9476c9c7db
SHA1f30b2c3ed97010be027d2dee57463fee9794dfd5
SHA2569e54fceae0565877b080bf5c9f195fb35877b52a392f2769a0f5b68701def18f
SHA512dc43edbb1ef5016346dcd09a6690870e82e69b1473ab794a225486d6d58c8ecee24cb5f49a2266f91d3a6d24b35c8642f063b08c0abc8ff8b9556dc78f4e2f9f
-
Filesize
7KB
MD5873b9029b37f173d383044bbdc7553fd
SHA1814fb7ef0b77d900a27a6741d28bcc17fd33d3e8
SHA2564bcb812035dd907cba9cd11942c37fac6085e048add5fe7b5befd65fdf24c1de
SHA512e4b21d10a962a7e350c2fe331bb2ead64fa29d106335d99dffc5716da942e74fafa843405722983fda14f5ec660b8b45b3932248fd7627252ad449a8359121f3
-
Filesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
Filesize
704B
MD5b9fbcf04b2272b5ea7ca3eb1c53a1735
SHA1377f19730e5c69a51f5f99bee1a44b60fc83b05d
SHA2564da8846a15e182f0fbfe60f6a0d3df5516be882dce5acd9b6c8d7c6f7eda15b1
SHA512db445fcf863164c755a89d6850e1b5ad12a15620d89faed572818598ff92c3596ca59df31ea20edf96d860a3b9f9f29107659d04e73de348de7c07965fc323a3
-
Filesize
1KB
MD591533d9236c8ad9309de627294b845d6
SHA188ce07958e1aaf2f2ef02c77ee0d72edf51c9b73
SHA2563346edabbd44ef9c56850e251323c78df0dc749349796a5f55e9444f2e7c01d1
SHA51252ae86baaa17862e54529601fde535d26a2ec6d4f0576c1a5be5467cbfe3ca5f436dbb173a70104c18c4828d60114c4261930b0082b1b78ec2065a2fe6e1f728
-
Filesize
1KB
MD534aaef36b69c8a4e610851a16ed63aa9
SHA159c62f6f66d23f5fa9409252a46e0996f642526a
SHA2566d67746094d9a3116964987bb5297e9818b7dc48f0c90d0175ce83e092cc74be
SHA512daefa921f069f9c3cd74cec27c57e09a9f02c0ceab77ec4bf354b0d3d60afd6d8c8afbd0196e15124d0b3528928a96b257b99781832484473704acec03d0a1da
-
Filesize
537B
MD5dfae4b3517c6e5ce7ed5c9bf30e42426
SHA1f7fc0473756716c96807b7123263aa31d32a31df
SHA2564d64a5c21382530fcbd72b4a09721ac2425330feee60befa82dd6bd31db05922
SHA51279b0c7209389bad109852df203cf079d0fa2693a5672f12b8c9876a6c0c72f5028ae0d8d3a86f2d13d5dc9b99e1df7b98221eb9d9644e77172914c76058356c0
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
3KB
MD506d02d4e5d0a3229fc63f6ef66b7ee9d
SHA1317d6c227263ab2e13a86abf4811599fdc5d944e
SHA25662485246e9fcf0eae2d0b78e505fee7d22126ca970a6025e4e0b537fe8420162
SHA5124c5036451c2765446b19cec7dc88230ffb9bf1855e1e20d7989afa3216c43ab84cbaf066f3661e75ad5f25260f8b92d5916dca9fe0cf497badbba65fb173c180
-
Filesize
13KB
MD574576395d2e1f348dfe12648bfcc8467
SHA1110479d8d09ec6e419e6e4d51b0a4319123645b1
SHA2560c3c11ad6e7b83878e4207e074874fc06fe600b7d543b3fad7eaf80046ae05bc
SHA512ba6793512837d296e39699e439c4ee8c9501f0d25dcf371ca15831392209f905a53676a3563f2f5f5da6932d6d37bc271e575c8be43fdc3b534c30a5e3ab733c
-
Filesize
10KB
MD562d6663edcbe1df53eed1cd25065af2d
SHA1fcebc3d409bbec6e425aa0dc86bac08b5ea8857f
SHA25696293fec892dd53937804acd6012781a5421da0316ce3aff730283eebd86ecc0
SHA512051792564c3327295598c5799254c972ec2ef5d542adf973a6c4e700cc547f673b4cb3c764adf36f83da58ffaa72fe09df5a6875b3436ac2115c80d88581682f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5399cca3e9e9f45c195201f1c8221aa90
SHA1a6b76b61b982dd4be8a56a05c51fae49fc89a2af
SHA256c93134e9aaaa090e8246ff3fcb18a49258cc9a18d96be16f6100f14d6bea86f0
SHA5128a6c51d073c2d62d74a8beae0ca42e7c18c25ad8e3a13173fcf7b6b2b6e0b148251167ec1bebba3ee1b4ea913e45b3ef7701bd71c6784f5c0c46cc03ffd9c7d7
-
Filesize
2KB
MD593ad86463a88b119a3ad353ee00a7f8b
SHA1ada7c5a3cf0a08c7025b1e3ff2333b0bda7aa7a4
SHA25627d9a8ea394dd761199f4da628cb5dfad3d2a82aa17691e23e95bd4d8c07340d
SHA5126798a11eb45e8f0bd1687550b12425edbb652d099b71c8ac699df6579abdbe5e1eab10d913225354d2476296fe8a18d6e1e9db7def634b78f0e402e47b77d595
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4