hxxps://youareanidiot[.]cc/

Resubmissions

18/05/2024, 21:49

240518-1pasgahh83 1

18/05/2024, 21:46

240518-1mtskahg89 10

18/05/2024, 21:42

240518-1kssgshf65 1

Analysis

max time kernel
88s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://youareanidiot.cc/

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{C8BD2BE1-7323-4A8D-A65B-841DA1A1E4D5}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
2336	msedge.exe
2336	msedge.exe
1012	identity_helper.exe
1012	identity_helper.exe
1100	msedge.exe
1100	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5732	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2064	2336	msedge.exe	83
PID 2336 wrote to memory of 2064	2336	msedge.exe	83
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 4192	2336	msedge.exe	84
PID 2336 wrote to memory of 756	2336	msedge.exe	85
PID 2336 wrote to memory of 756	2336	msedge.exe	85
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86
PID 2336 wrote to memory of 2768	2336	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youareanidiot.cc/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6e846f8,0x7ffea6e84708,0x7ffea6e84718
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1316 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3032 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,18004476275169181730,50844858335471115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:780

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:1944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3912055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
54d4a91e16804c16f9323bfa4f7955ef

SHA1
18ec116d4ed6d5f785a855b249a8085696db75f2

SHA256
3172cb227042dc22f7b95f80d96425dd27e1abd09b17a24150d6a2b3104c1b41

SHA512
addb13fb4240de6a5d7e32a92b82b28ccce9ca8b53e2e04608c31f2a29d7d830a2bf2e97f1fa99c2bdbb9e758f43b755ccf7fcf37b584fe19b4d2c2e2635959a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
16b7ee850433b13ad9571ce5c06547e1

SHA1
28b20a452a61f228ca8bf38bd059e1c9bd21ecd8

SHA256
a9abddce33516cacde9d4225ab119db768ca7dfa3b793a013642dca6f3acbd88

SHA512
eb85c72f8e535e17f0edcd213ff4afe05e3fc3bd753142ccc487371bdf6478e8c827993711e183ad2adb2fa41c89966b15c4c956c29bb892e040abb0a07bcfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
25f57551e8fcbc4dcf4a64d183d591b1

SHA1
78dea6c5d10b9348a2a7ad658c5c2990894ef778

SHA256
f85a2896cffb36806c9a8dfe5cdd1a74e9a9759509c6a293d34698282bd88206

SHA512
c81a331da28256725da219c8d64757d8b0905338022c121d6d328bcd5813d239b0993f9ebd3cfe0ee4d5269ca7fbb005019159e58ce66db968072a6ab18787dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2b9789654ec18b3d2e3ffd9a159f57d8

SHA1
28be12e7a7d947ba913cc68b5b6226d5696a593a

SHA256
5bd9cadc4efef652cd998757b60a5a0865edc7e2a39a35c569e89c6f3b9b4a9e

SHA512
415a6f90d924afc1c9f64bdd7dbeedf8ac6e0cc7dcafdfa6868ce9438459aa11113b85e159060051b3a5a6669bcc860946565cdd72a53c4667a9069278738daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc5fb4595326f626576c7e4bb51bcec8

SHA1
926982518c6e04cd9e9926444683e08ded9a0c01

SHA256
920ca1aabff8df9791c5522fd9f8de67a1de5416880af94653389a5b3d2d20da

SHA512
a6d757e96f2c4ce010b88990edfa2000d0aab638a2df18276f6bfbe4eb3dda23bae928e46a27794c8cab86bd9feb401a8ac81462fc2264808ade9d0e8ef5c3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81df1cc9b2ac65f953ed21403ed6cf00

SHA1
4c4d77c60715937be4cb1519430ad2116d682473

SHA256
925ce550f50f9373b9e841840d220e610757f9b57b12906f1489bbabca5e2cb9

SHA512
b6d87b279ad57400daa9e1db7f709718359923f8b71e15bdc03cb9e6d54edd4d45de395afb2f67d942cc698152b03c7827280a7d800f09c7b01e94febb323f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e209da62273659aa9bec597e34dd1ca2

SHA1
9cf789867883def952d21a5d69d920e69a3ac51f

SHA256
c85b6bcd99d9c154bfa379ac3e2e9d0d78f02a04f02486eec9ab5b49b1d7845d

SHA512
e284744d58b3283f99bebd9e0a0b82bfaa41375170d6c743ff56fc40786c1e9e4149a1d2b0f73d65546dbaa5e7423c695fdd84d0f8d9073ab284c7f6e68e742a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e76ca10bd334bad7757c9a4bac570319

SHA1
41c8deb5a5c0127936044625a7644c169ee32b02

SHA256
6450381e178f0bed9b384eba11892d7d942ae22db115e76c1b5111ff4a104f9f

SHA512
fe55538e26f10d7afbd4371cdec094b5e0e748e82c6b0a669f143a9a9f567d3ff1927244e867b6b90231078ffab0ff9f649454d8ef497dbfece0e06c562a33fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9588ce64de137b81626b61ab9c6481d8

SHA1
e88826ecf7148883f8df03ce2c0c34eff4ae03ca

SHA256
649da14dba6428cb5ec6354db5d2e6c4e4e29b32be01c6d2a3e5964ca810d48f

SHA512
3434a822b2b93aa07ed576545e0e479fb83dad243f607ebbc14e02f2db1f81f59e856d4119a148328317019f3a906aaf0e94ebe3ecf6f41af96019d66306e7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
44a572d72348b73a50756e4e73e3d6ce

SHA1
d679f307b81fe64f34f6f0c7b31942881de65a09

SHA256
c1ded085d4a0252c86cc3ae0116ba1ba8f287b5a8048634db9cc871a22bca5ba

SHA512
3bbb20e269fcc323c3e120ac7f872e780c83b3947c923a364bb78b2ad1dc76d2d50cc0a58a92c2d543bbce4d499fb4208c1ba71259731679bea507103cd9f56c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 83742.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\⺆ⷘ⭲⪃⇆ใᚴỂাٞ▒ጦἭན⥷〡ᄖ༕⊙⑤᷹ᖨ⩾

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/1944-420-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1944-596-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads