Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
Iris-Installer-3.2.0.jar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Iris-Installer-3.2.0.jar
Resource
win10v2004-20240226-en
Errors
General
-
Target
Iris-Installer-3.2.0.jar
-
Size
1.6MB
-
MD5
97cfa283f188d846c86e8c0e58d00db8
-
SHA1
b9c83d9d0068a89434aaf05c2a1b594d4a1d0ee8
-
SHA256
8649d34616022150e1a099737bce5c07351fd3dfce7ca0978a82b4a435e0931f
-
SHA512
358d6ff9f6a7c594e482a64e1085bd56366dbf094bd81907a9709bb54e2e588d4b8d76da2c8dad5edd2de2ec9a7607758174d16cd919add950ad0cddeb619f13
-
SSDEEP
49152:43VZ7NK4Y745jZOTTGANUjKUlqGFLiELag7p9UD5DBE9:43VZ5w74LkKbqwt4a
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "125" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{A640153F-3C30-4314-94AE-1D99E9B78C43} msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 216 msedge.exe 216 msedge.exe 3340 msedge.exe 3340 msedge.exe 2292 identity_helper.exe 2292 identity_helper.exe 1312 msedge.exe 1312 msedge.exe 1588 msedge.exe 1588 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2696 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3340 wrote to memory of 4992 3340 msedge.exe 91 PID 3340 wrote to memory of 4992 3340 msedge.exe 91 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 3996 3340 msedge.exe 94 PID 3340 wrote to memory of 216 3340 msedge.exe 95 PID 3340 wrote to memory of 216 3340 msedge.exe 95 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96 PID 3340 wrote to memory of 4000 3340 msedge.exe 96
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Iris-Installer-3.2.0.jar1⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffa74e046f8,0x7ffa74e04708,0x7ffa74e047182⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4952 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5720 /prefetch:82⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,11374761592508616352,1435950450680683576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1288
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1732
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5004
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵PID:2724
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵PID:1840
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:2180
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3961855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
Filesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5d0e666673f2f4e3c9324f505612ac31a
SHA109fac2fd5f58f51770088b73a30dde09c75214d1
SHA256c3e30041077bbc73baebe22da33f1f70f009e1bb3710a58bb64203f444166ccd
SHA512c19cc7961cc85e4452b19ea58d25b01f9275859fc6487d49777b7d693f040b02f5245720010c3074a50d5bb939a8fbfa18885538a490b6ba47e2d1fc9f305efe
-
Filesize
1KB
MD5c9d47463a1da8312bfb81113ee683bdb
SHA19c462dc4a5c859be931cdf3207f6f100ae78e94c
SHA256ba2319622284ad6e1f830194328536461f50efaa5699adfc5c6058470a31061d
SHA512974efc303e52e5627e82103f9315b2a572099a6311ed8d5469378b5aaafff3f2ccbe756f11ca21a53ee4e173bc2255c7f7080f8ad7c45cd93a2f8b632040fa8e
-
Filesize
6KB
MD52203cc3f948bc7cc9370d5bec48b1582
SHA12d19745000cc768a338bdad15bf9adda8bc7e8e8
SHA2564a730d037922cf321d7dd55cffe4cede55635fce8f6f6a80e433d3230b4fa26f
SHA5127d2e0aaf93eb5c1bbbec5a26ca3342540e3103fd748cc6a115f705b112d086c5ac4ec203ec94b9aafcbd0ce62f1dfe5575d4df2d3514df9f92301334d36f83e1
-
Filesize
6KB
MD5ceb767875ffba3e11960cec09b4cf2a1
SHA1a7dc23eeeff1d05de5542e395d2a72b06d0eb53e
SHA25688419501f7cb5a51e02214235d49eb651fde97a0f29fc51ac64ab32e275d734c
SHA51224d07b8fafcb8497f10b719256fb7489438bbf651cb712b63857b9d80129f819f2cdfb134d7078d014744a8605f1bd40bbe087404b071dce1c2d894f03d94c1d
-
Filesize
6KB
MD52fd15776443a2fa216c461d851f23345
SHA10fcb99588c6baca3c5fb59b3ed5b9c5aa7a02b11
SHA2568aa5a122edb0318e770b037b4d064b670c4684c74ff1dcc94b8a237a577b0b54
SHA51215a0f5b1f60e44a232ff7a9ab800efcec8431012365245f2053cb032f0708991fee12b9395ba34bbfc4f10fc08fe5ca508d541cdf1a48ee07f9ed6d32b050c58
-
Filesize
7KB
MD54fb67c728313d980aadbc573003c54b3
SHA1e79ef822f47d59761fc467ca226b17e1878d0c8c
SHA256c7c3bc8cf57a66acdec64cf500fab881b9937fad09de8d013f5de013cce31b26
SHA51208247229364ef4394a328827b92effd572acb4befacf71227a6768daf196467653d96d91b9e2aebd87d262239e4a233de49c517daf02d1259428cc9589200565
-
Filesize
1KB
MD502cb01a47d1806759903bf6ed371b314
SHA17385c715451ddea786d654dc40e3c5fd0f1a3b92
SHA256cb7411c7728b776eeee0ba06e26a87ca71fb4f123a9afb072a4a22c955022fb6
SHA5124b905ecf9594e9d0a7da59f569ceda3d9261a45167ab46134bd5d6487aeaf57f83d253981441223b22547f46b8ae548291017c5c387fc8960243596a1d6d948f
-
Filesize
1KB
MD5018bc96091be5e6fd7fcbc848bcbda39
SHA1d0ca7ebcfaf66a6ecf605d69b9dbe204109e9379
SHA256404d8273f31af9d6a5bd429ad7012511624901e016371eeec9ded0fc9c0a2bef
SHA512c1e4cf1c4d848ed0ad18828961b31afac0fa7c13cc2bbc974844837a4e66e72c284d2c07f80ead048d855700b0f2cfb135201ce9d9b9e948e9f127d800601c5d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50740e07552210291d0d3d447f2bdd48a
SHA1eafa983d89e6bf55c0fd03505a66723299955e21
SHA2568758ed17dd5fc1cfc06065bbd9fa5b7d901665240557f5244f2d3da6a485391e
SHA5128d1bb4c0cdcebc0e04a8d69ca05413a46d6853e13d4b4465e91258fdbe50aebe420732b0522021680b808caf6fa4762c98a7632ac5feae983ed241d82c2bafa9
-
Filesize
11KB
MD5de4389da5c9cd4fb2c6e55b7c84be96f
SHA16abbc2a89fb332b4196494fc67d4752a491a6555
SHA2568ec21a91f4acb8e4c50956d20098cff178e93abd0ea11f04537d55b4d11ea04d
SHA512a24fb023127a0cdd759fefb37932f9ad53e311ced1106b3395429eae20281eb601274863535277024f6d41c7123406a9a8d05b7c0d5bbc2c06df2f95b6610757
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4