Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2023, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
AutoClicker-3.0.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
AutoClicker-3.0.exe
-
Size
844KB
-
MD5
7ecfc8cd7455dd9998f7dad88f2a8a9d
-
SHA1
1751d9389adb1e7187afa4938a3559e58739dce6
-
SHA256
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
-
SHA512
cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
SSDEEP
12288:GaWzgMg7v3qnCiWErQohh0F49CJ8lnybQg9BFg9UmTRHlM:BaHMv6CGrjBnybQg+mmhG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a5bc9485-ea1b-4816-97dd-eb15c7ee5f07.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230531165648.pma setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\winnt32.exe NoEscape.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4248 AutoClicker-3.0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe 100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1496 taskmgr.exe Token: SeSystemProfilePrivilege 1496 taskmgr.exe Token: SeCreateGlobalPrivilege 1496 taskmgr.exe Token: 33 1496 taskmgr.exe Token: SeIncBasePriorityPrivilege 1496 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4248 AutoClicker-3.0.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe 1496 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3340 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 100 wrote to memory of 4644 100 msedge.exe 101 PID 100 wrote to memory of 4644 100 msedge.exe 101 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 5040 100 msedge.exe 102 PID 100 wrote to memory of 2160 100 msedge.exe 103 PID 100 wrote to memory of 2160 100 msedge.exe 103 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105 PID 100 wrote to memory of 4892 100 msedge.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.0.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4248
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff3bdb46f8,0x7fff3bdb4708,0x7fff3bdb47182⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:716 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff734eb5460,0x7ff734eb5470,0x7ff734eb54803⤵PID:1016
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵PID:1864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6568 /prefetch:82⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,11226568570847801968,5644493455745332937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:82⤵PID:2364
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1104
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1968
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:2056
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3340
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
Filesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\46ebf11b-c1ef-47ea-998b-d017589a0653.tmp
Filesize1KB
MD5d44b0c4b7cd4d8502dcea3611259f6ed
SHA1dd1497de33ffae0d852c3793ef9ee2024e7dc4bb
SHA256d7697f8c669b1fc4e90e0a6eab41849edd855dfbb87b7ae7e92849abf1353a41
SHA5120dae8210784d887c5a1c42e50b68e69f9d8caec75cff87e30bdb0a47e1e4cdac25e47ac73a2768065730016d67df4bd296a5f0ee3702bd2499feaae44eee163d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5914c003c526aadd868741e789837fed1
SHA1948b3b51003d3aaf272827a7f6d710b77dee8e4d
SHA256a4ca59c3cd461f7a217f8e9f377efc427fb7bf9cbfd5c846b0f5555108fe901c
SHA5126c8a5c1c6a0b74e0ca19aae2ddea04878d3f3f98b243df9a32f4b9f598a9a8b359cd3e1f8506a12e394d6a83b6dd2c78ec3fb1ed9650399e3de35e1489377afb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5258b62409c51840f60d3a1eeb34a0624
SHA189093f5531868d2f7b6ebac9dce79344051f29d7
SHA256e08e76a2f9a1cec2ff8e09032aed778fd77f18336252368e9603fa158153607b
SHA51245ee1e8800a20ea5abf68fb4042e706e00fe7b9e700b1b8db00f7e4761c85a64df28d0a1027668fa4c6298f14d0bae242104a984874012f12035f7c174f283b7
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5c1ffbde4c1fd56de803eb83d7b5b92c0
SHA185fe420393532a9c7929f67fc010a41de612d7e2
SHA256c4529c75b04374b8247c280ead866b9df98af284995aa5928422726f2fafe381
SHA51244479c9da94935ae59ff920500b26db53f551ebd5953855327b388ec03bdd7c2c44a562b4c31e1771fb0f2385f67ac2debb7d88e0652ec0c98ee032b2c6bacb9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5627ecd66636b28d8325db29fccfc75ee
SHA1f4b048f87163eb346e9dc88eb17cc1735b53281d
SHA256a927ca5e4cb591784acaa259a73f1a2435d801edd9b173771f59d5a3c64ddacc
SHA5124739fd2b20d6acc015a3dd377d6763b09b35712567ccbd100fac0ebd64d2e2b4d19114fb86ae3f0c1c2d53851c1811eeba87ada7fa77acf72501ac6fab8de70f
-
Filesize
5KB
MD58dc0489ecc8ecb967607a542a1277ac5
SHA11683ef8432ac21f4510af4bc489f3dafaee7eca2
SHA256e3d151546a4ae5915cc0ef4ccd2e5a0dc92d1bc0854a6f71f02c9ea718ff2538
SHA512fb0e86df24b85c789aed835116c5aad3dff69649efeedeed66b8b5bbe36b75d1f6a9aa33b10033484a7b2adc2aa34e4eadeb363d61764d8f6371cea39094c0f0
-
Filesize
5KB
MD5768a33a116ffa662d74bf40fe10ff59e
SHA1402acfd34941348f381b5817c17ddf946ec7efee
SHA256b0a7dfab9427d5b2d6fd6b2fbb419fc9c179a7c76a324a84b55da69cf9147b3e
SHA512aed80fa6e8be9acdf2edd025a5821024bb6d61085375ab2de4659b1a3645a548812b240b6a63c6e23b94accb3daa06e68cbca730b0de7728969139e2bf2be505
-
Filesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
Filesize
24KB
MD53966348bbd403f0d73c498b32b42c474
SHA1e831a80dc7540db9afced875d230530380ec5119
SHA25685295f1484a81c8e36f1287dbb3d8c2ff4f80a5b2dc0985b88abcf49850d7542
SHA51275a7fe567b809507d121ecfccd5cb85d7dc8e64609f916a450345a1ba959f7535767619970de25f9474c498666ad1b08250697222d5696f7a589f663a035c41c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD58245f5c4dce76e170ed8e75adfd0a21e
SHA162eeb1a11ddbcdf7553e8e9cd49becd6ba5a813c
SHA256cd2702ae853fee09886cdf8f4bd17310463f0f956a48771e0f423fb6085d23ed
SHA512e4d34109d4461bb27d721cec0155367dcdc896e964a11e965c2a6d751bab064b6382663ef9431db14bcb69bf0a53ac80014add82cf1f60b887ef39c78ef053d7
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
9KB
MD53b2f07aebe9ce587b90df633a4f8aa2d
SHA1e00b52b157a21d4bb3bab17594177061f36ea580
SHA2564e915357afda7a252c8f91e85da8b86db514492a2c38c926b93b432ff97d6c25
SHA5126c93e271255277fd0d94910ba1b81fa2cd980e51879cf31319e9eede663dc341b672422bb2eb2dbc2ba73095aa76c5ebdf3759fe84232a839513568b6abb42a0
-
Filesize
12KB
MD56c84e3af1f18ec27638d36e19eb8d4fe
SHA1b14a2d6b8229a638a453dfec67cc008ca8d35603
SHA2564f28ce0dd2cca1782ecb29dcc54e167d7e461e17c4e3888c4bda2561b70059e0
SHA512a94b0b687176448f1247eb8562db0f5e9b1ba407d8b91eca94edecc7a6b51b9d5648d29f3bf7509645d57f216d465a18fab0c90861b71442f1c841a77b83f2c2
-
Filesize
13KB
MD5d95324e18e101424d15d1be22e3a68db
SHA16b2e77655be68e186710c6642a250d143e1f0bb3
SHA256a218cb988e2c68f9ac535e9abd28c40e04616d1b41bfa7781efb92d59f0385ec
SHA5123667b474b4ed2c5f627245727b883e75d81c34e47bb5a393047685ba3ab20eb639fbc0d3f4dc156eea4ccbfa7850ca2f7421aefd10aed5d0500ed02c1a27c4d5
-
Filesize
13KB
MD5a5401d8eacf338e2c7b3aef28b5a3b66
SHA1968cc5ecce3fca16a5c5955ce27d83a1c809c002
SHA256c79c9a5581146091223fc390ee8ed29f679684f7bc47fbb447231b8c2ace3e08
SHA512559d1922813def9c42b2e05950b55e6dd92f80ae9572408f9564dfc6e5c1fa9395f688d45da0e833f3d16aabd23727ed8b62c4bbba00e7583dfc0550052ff401
-
Filesize
28KB
MD510ac985b97b16e133eb6d6b3986a6024
SHA16be8e12b6f027a876858625598d29a7c86568e9f
SHA2566046c261d706912b5193aa1d6f999d29a3c3f0ee9c981b32742f5c72e282db89
SHA512db3006c59994831bf667f415ca39a5053c316bfb75bd642278ad85f984253e66249ee028ef075e8e9f6c1edef25723e11b3db5e90bc93b0e5677603968ab83cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5b091565c32d80efce0fcf33635523d31
SHA1333b08406a230387f2725af548554969b55c40ad
SHA2561a5966989ffc2771c83cca4462c01822572d8be0874e050dfde5d70ab114c987
SHA5126d20a4feba679fca5c023e42b65d92a61566c3f483ee303bc0a254a720acbe22aae34a8b5a48c9a3b6bd8439ffd982387f981ddcae6dc2fa162e177ddb61e75b
-
Filesize
2KB
MD50aedd25239767aee5e409696701e7463
SHA161ec55d68974d3af8359eff7c7e2e1c97ffcc53e
SHA25691a1f95d9e49f566c81c900fdc73f1b73f962404447ed30d114764b537f06edc
SHA5122c795cdb20fed7d8bd2dfaf7df6564a96d3a8bba7d2bf9ecbbf1bd4c61655d60a30eb643df812e8f2c7f7b38294ae893da76f5cf20d3503aa9eaa0506a7de8c7
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4