hxxps://pastebin[.]com/gU4Zj4SD

Resubmissions

07/05/2024, 19:43

240507-yfk6qsfa24 7

07/05/2024, 19:40

07/05/2024, 19:35

07/05/2024, 19:31

07/05/2024, 19:26

07/05/2024, 19:21

07/05/2024, 19:16

07/05/2024, 19:14

Analysis

max time kernel
75s
max time network
77s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07/05/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://pastebin.com/gU4Zj4SD

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
1	pastebin.com
2	pastebin.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "98"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-293923083-2364846840-4256557006-1000\{25B4D66A-29F1-4C1B-B91E-8C25BB493949}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2748	msedge.exe
2748	msedge.exe
3664	msedge.exe
3664	msedge.exe
4620	identity_helper.exe
4620	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
3404	msedge.exe
3404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe
3664	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 2840	3664	msedge.exe	80
PID 3664 wrote to memory of 2840	3664	msedge.exe	80
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2404	3664	msedge.exe	81
PID 3664 wrote to memory of 2748	3664	msedge.exe	82
PID 3664 wrote to memory of 2748	3664	msedge.exe	82
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83
PID 3664 wrote to memory of 4172	3664	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/gU4Zj4SD
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4d2e3cb8,0x7ffd4d2e3cc8,0x7ffd4d2e3cd8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Modifies registry class
  PID:596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,1984529101443851252,2525743119503924270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4224

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
PID:408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a29055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a85ad170d758e61ae5648c9402be224

SHA1
e6dfce354b5e9719bc4b28a24bb8241fc433e16f

SHA256
af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617

SHA512
641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
22cececc69be16a1c696b62b4e66f90e

SHA1
b20b7f87f8bc64c1008b06a6528fc9c9da449c2f

SHA256
d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258

SHA512
2b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
69b01d83e877812aaf42ed370df79723

SHA1
764df27b455eb776c7f462fd9ba6a2fb45410872

SHA256
b19616ff620dc01d02f43e264575cbc69795c756f362e8421468d39a8895d7f1

SHA512
4c1a9a3336ceee77c0e735cbc0e7d05bab3330670cbe5a855421454cf15169d81f40c15fb4e8548e86c98e123b88b9744f36f1fadd8f9f35e29ba05411223865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
93ac0ab36a41a4434b8d7b4119263cd4

SHA1
189b55ea1d108d6f32f120651d6acc6c04c0d444

SHA256
211c8e64157080987f3a6632111392be807feb2b5c114af134131c00cb0007b6

SHA512
cd6a7164149c6d7710a5f24db0dc5da795e0561102cedd83cfd9dcfe7bfac77403b9757f20b9e422ce8a8e656513fd78cf3aeda80fb1b004e7adcfe262cbf004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e03d5fbad2ec34e4224d85f348fa8b60

SHA1
de6097cf8680a76d8993123e7595db8b189cc51f

SHA256
e314b9fe82e4fb3bd569c19c12c81b8125b9dc73e738cdad7ae100fd68e8b441

SHA512
c9f4aeb10ecd8fac2155587a7cfb68257a9310f64e2f47287e8b064a39a05c417efb619f84c12901ab166bfedccd7d8527ce5feda51cc7234fb9c2ff6592d366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3447ce2bf8cf87634db71600b0f936f2

SHA1
a6b9bda3352bfc40419c41930e9db49a32c44b6d

SHA256
743f65231122771ee93c04e7fb3ff225b24158c66285452382425291139dcfa2

SHA512
adf2349bb4d1089b4f77821b739337bdfee3d66e8943dec65426515897dcd3ccbd82cae11e91cf9dd7be064d78ebc87e54b980622d61031aa8ec49885f1497c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21229452f5baa76a28ed574e3ec9e412

SHA1
bc1c51bb0102ec7dd139c14f8d4e4b054b5207d6

SHA256
942b8cafe36edaaaaf7ea18929fa7c2314cce844b146d5024c1a549c4e21818b

SHA512
c09905638f38f0c9b5ab92cd5f135e38d34f6819c70a5835f169177a00a35964c171371798011e5e6cc1712e12d4c170a7cc7cfe07af6423adeb4f6885c06cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65a7ef8eb3b97a814084d01bf4f6dc25

SHA1
c91a88db8ce417a1e22951a46a5d6ee7c0af4123

SHA256
3144c417a0b973d78c77f59ee3193cf4fe46bc008b97e5ecdf3a3505c67e829f

SHA512
7e2b63b4dd062976f047393525e727abcb8cb06963f5bde22fd5ed99d7d3d34159cac14c42da2759631b6d3dec554d5cee34739c014b4f0a31a60a13d3573b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
17461df03058add948bcc8ad42037e06

SHA1
8cc30f0370b2e4a398a8047f8bf38bfead4766c6

SHA256
4f5506014333c29dfc7981879b1145ff8a55d314f2bd834af5050b38881066ee

SHA512
9b8a9866fd70e65e6c527c0c4dbf46a8df40ccb3418bf30c282094a555ac35c81a84090d7c2ec029f0e75dbe4da21d35028b7032f74999d555c457187ecdce60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a4e39250fb8296b8cb420e3108bed85d

SHA1
5bc639f5909095aaed8ed3eb0ad2209e4cd7ea6b

SHA256
82292b8f8f8920a06c93437913c6a18f61fba7a89c77be44fd5477eb1e83e3e9

SHA512
c55e4d075201c3e61bb7cec1554549ba49ad92eb1ca8ba6608e793a5688ab6533f7bf2c298abee0b858fde0e78873b8bee463da61fb7c72f5487ba99b403cbb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57da52.TMP

Filesize
203B

MD5
407bcdcbe4709b0aebe66c007ae5b95a

SHA1
539ed080ca5f609416c17f814c143d4ed6b347e5

SHA256
48ab10c582c3325ffb9e037779a6b7628f61d61e8623177e6bb1919fa925db51

SHA512
e7fc4e8621b073b221f6cbf2a0d83612c1a5193561967a359f61ce4ba9342e2ca16255dffe2124b821a2d85db8ad8cf815039fd5fd36a8820288d5b26af4075c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5321707dba06d2e738500f4951d7d28

SHA1
ed2c99510bb4cfb41b17d445e6cc92913c301b0f

SHA256
cfbfc5f67298c43dc50497a676ce4a78d67300ca9d75d6cc5a08023c8c8c76db

SHA512
d404b0caf0c7c3d73683746d30031ec8c620833b876f54854f5b6fdb2379e2f08a20047322bcc4beb198bde57f1c9aa6d525fdd27ec749ef6222f647e2769248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
411f275a2cf1b106d706e897a8b208ee

SHA1
c4f85614a54295be857cfe5870a7cc57e8c803b5

SHA256
9098c4df469ea78f250be204e906525f70fc9acbbe33e89480a393ab021850ea

SHA512
fb31dc8da7da86edb98cd1b7dfb233391f9850239da86ff9ad90d48796b8011abd2fe430b22eb2f670fc932bbaef07e2231b885fdce7dbd876e1e23d4df686d4

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608051.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\ᢕᴷ⋟๢ᄸ⾌ਛ⥊႑⍋౸⯐⹼ᒪඃỰ௶⓬ᮆ᭬⡹Ⴚ⑪ܝ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/408-421-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/408-622-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads