Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 07:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://vpnkit.tech/vpn/free-n-easy/?cep=bMT3fg58gpeDfnBiS6dlJpgCykFDOAo4HalTatfrdNaroWh0gVlA5DWqMEOlspBF6mnJSIcfYevib7MKNYZQZd5KzkLFK-agYfxfhaJV_nxc0SNEGWhh_jsIoyYmVP5ImVpDJ3DLD7NRgbnzxsqXhsJsFFenHBTqB1TJVU6T-BzINCxKpdSOO1Z40CDWFEJ9Xt3UfxNFAVnF6w1cxBTL4zsDdts8yr3YpnR0saU4-2Wei96l4-b4tlL6sqo2B4GNNJPL8WdCR5Wl2UNJGST1tKfvtvvBgsZK3lFgfGzK6WZf3zkW_JUmdLAuXgFKzP_mr1i0hFvOCjTmVlWEWhsOprJhHWX6KTIT9NoaTRlpcUa6arzVn47rVQ46HwtdOUUrRYH362eW3GCwfPEUWKZzOg6_ormMHj1A1W2Fxkvl5A-55tWcBNTz2uKHhHrtYgBBAA7_BI39NbjndFcObrwpz3wStMQPTPsoV9B_1wjRaTa4OZgyni38LeINWZJVX4WZhG1SSyXkF-5WJQ0rZturuBaBAIyF61BJhlML51_iOyUhec70ddzfWzBSdN1_EnxlZmQ0AmoE6_kDuxe6nCbPp5zK8FvAMgh41iOYBc57ZU01ldx8A5kZSfhDsnTusZFJUcUx5EqkDqG7rtGw1qD3iBlEpwHqwBjkKvpAQfaS4HrOqf_UWsbE4PCVgNnsEIXiiarfqQWcSywQ_IPuO1EDOA&lptoken=179116b5799f82ff6173&zoneid=3579156&bannerid=21081774&browser=firefox&os=windows&device=desktop®ion=kl&isp=alliance+digital+private+limited&useragent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+rv%3A125.0%29+Gecko%2F20100101+Firefox%2F125.0&language=en&connectiontype=broadband&cost=0.000240&visitor_id=818866274615697476
Resource
win10v2004-20240508-en
Errors
General
-
Target
https://vpnkit.tech/vpn/free-n-easy/?cep=bMT3fg58gpeDfnBiS6dlJpgCykFDOAo4HalTatfrdNaroWh0gVlA5DWqMEOlspBF6mnJSIcfYevib7MKNYZQZd5KzkLFK-agYfxfhaJV_nxc0SNEGWhh_jsIoyYmVP5ImVpDJ3DLD7NRgbnzxsqXhsJsFFenHBTqB1TJVU6T-BzINCxKpdSOO1Z40CDWFEJ9Xt3UfxNFAVnF6w1cxBTL4zsDdts8yr3YpnR0saU4-2Wei96l4-b4tlL6sqo2B4GNNJPL8WdCR5Wl2UNJGST1tKfvtvvBgsZK3lFgfGzK6WZf3zkW_JUmdLAuXgFKzP_mr1i0hFvOCjTmVlWEWhsOprJhHWX6KTIT9NoaTRlpcUa6arzVn47rVQ46HwtdOUUrRYH362eW3GCwfPEUWKZzOg6_ormMHj1A1W2Fxkvl5A-55tWcBNTz2uKHhHrtYgBBAA7_BI39NbjndFcObrwpz3wStMQPTPsoV9B_1wjRaTa4OZgyni38LeINWZJVX4WZhG1SSyXkF-5WJQ0rZturuBaBAIyF61BJhlML51_iOyUhec70ddzfWzBSdN1_EnxlZmQ0AmoE6_kDuxe6nCbPp5zK8FvAMgh41iOYBc57ZU01ldx8A5kZSfhDsnTusZFJUcUx5EqkDqG7rtGw1qD3iBlEpwHqwBjkKvpAQfaS4HrOqf_UWsbE4PCVgNnsEIXiiarfqQWcSywQ_IPuO1EDOA&lptoken=179116b5799f82ff6173&zoneid=3579156&bannerid=21081774&browser=firefox&os=windows&device=desktop®ion=kl&isp=alliance+digital+private+limited&useragent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+rv%3A125.0%29+Gecko%2F20100101+Firefox%2F125.0&language=en&connectiontype=broadband&cost=0.000240&visitor_id=818866274615697476
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{CE84E4AF-D2D5-42AA-BFBB-0861A5D80C4E} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3196 msedge.exe 3196 msedge.exe 2128 msedge.exe 2128 msedge.exe 1160 identity_helper.exe 1160 identity_helper.exe 4888 msedge.exe 4888 msedge.exe 4960 msedge.exe 4960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 412 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1504 2128 msedge.exe 83 PID 2128 wrote to memory of 1504 2128 msedge.exe 83 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 2608 2128 msedge.exe 84 PID 2128 wrote to memory of 3196 2128 msedge.exe 85 PID 2128 wrote to memory of 3196 2128 msedge.exe 85 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86 PID 2128 wrote to memory of 4492 2128 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vpnkit.tech/vpn/free-n-easy/?cep=bMT3fg58gpeDfnBiS6dlJpgCykFDOAo4HalTatfrdNaroWh0gVlA5DWqMEOlspBF6mnJSIcfYevib7MKNYZQZd5KzkLFK-agYfxfhaJV_nxc0SNEGWhh_jsIoyYmVP5ImVpDJ3DLD7NRgbnzxsqXhsJsFFenHBTqB1TJVU6T-BzINCxKpdSOO1Z40CDWFEJ9Xt3UfxNFAVnF6w1cxBTL4zsDdts8yr3YpnR0saU4-2Wei96l4-b4tlL6sqo2B4GNNJPL8WdCR5Wl2UNJGST1tKfvtvvBgsZK3lFgfGzK6WZf3zkW_JUmdLAuXgFKzP_mr1i0hFvOCjTmVlWEWhsOprJhHWX6KTIT9NoaTRlpcUa6arzVn47rVQ46HwtdOUUrRYH362eW3GCwfPEUWKZzOg6_ormMHj1A1W2Fxkvl5A-55tWcBNTz2uKHhHrtYgBBAA7_BI39NbjndFcObrwpz3wStMQPTPsoV9B_1wjRaTa4OZgyni38LeINWZJVX4WZhG1SSyXkF-5WJQ0rZturuBaBAIyF61BJhlML51_iOyUhec70ddzfWzBSdN1_EnxlZmQ0AmoE6_kDuxe6nCbPp5zK8FvAMgh41iOYBc57ZU01ldx8A5kZSfhDsnTusZFJUcUx5EqkDqG7rtGw1qD3iBlEpwHqwBjkKvpAQfaS4HrOqf_UWsbE4PCVgNnsEIXiiarfqQWcSywQ_IPuO1EDOA&lptoken=179116b5799f82ff6173&zoneid=3579156&bannerid=21081774&browser=firefox&os=windows&device=desktop®ion=kl&isp=alliance+digital+private+limited&useragent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+rv%3A125.0%29+Gecko%2F20100101+Firefox%2F125.0&language=en&connectiontype=broadband&cost=0.000240&visitor_id=8188662746156974761⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff631e46f8,0x7fff631e4708,0x7fff631e47182⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6124 /prefetch:82⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6072 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6096 /prefetch:82⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1540 /prefetch:12⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11083297486768899254,10987392755110575193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:3780
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1992
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3048
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵PID:2540
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:3212
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fe055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD54b4e8a35821680edd9e1e818433722bb
SHA1f8889dda8c8d75f7d49682c8a9a8ca6d9a6f93f8
SHA256d6a6b2abb6711907639107a261f332fb28b4e35d92c27f7027c8775e3092780b
SHA51269c5a3fbe88202fc2795359aca55f2a080c1b5da1d654f3f310d6fd606cb2923b87f2e3d0bddc2c9e53b6db38debfee321ddc4c4ec5e49df142493a633a5244f
-
Filesize
1KB
MD597e73b512b78e06d1f2618527423e7d5
SHA1f40bfb8ee10ff1d00e07d65c51615edb45eef998
SHA256f3a0982f0d08e79083b46615defdacf6c7c39a90fb5571fcf2dfa2bc0dc91334
SHA5128e5e83a549c7d7645a7b3191cca60196ded2190978a9022e664768e3d17e35bef4b1e7579c8c8d1a44fb3292f76469d1ecd298be8f41b98cb533ae5d01e6c106
-
Filesize
5KB
MD5b4e945a088d12eabf973dd7a4901d0f0
SHA1464bcd5721fe9cebfb3f2e17e8221bcea9543c79
SHA256f241fd93255c0593c15209e3399e3e9dcfa599774834d2d90a4b7007a1ad1b1a
SHA512cf9910363b69dc28a86e397b0a0bb522f846e92e615ae1f8dcfd55c544b87d92a5e36665cd15a92ce08c8b54e4699a76b04024142c6f72e7127b77ef9341640b
-
Filesize
7KB
MD5d0584b28b941eba6e43340bb3bbd30c7
SHA15086403e85b8170f7a9ab8a3b4e5dfa4daf743b6
SHA2567beba7d9775b98885d0ca6a98fb1c97f513db4a4f7e9ff5141bc1bf16161d688
SHA512cc5c65a0d1f6bcdea64e698dbd97a35989a23fdb27e92c69011ab7ee36ddc0dcd4180f349fa9a9e3e6351322c5564507c77affed736d432b663db7e786e80002
-
Filesize
7KB
MD515a1f6c7f0f33d4cfe0d3c83bdcb4d45
SHA145a24b0d1fb03f4d03e1eaedba0b1130005c4999
SHA256970bcd34014b7feb92fd450ecad27f5c5b3cb1719b980f848d48a2f695b4d287
SHA51227128fd86aa98839a860241b7699743620ef6fad2ffa997f34f4baf4558ebc180b195f9180b1813490ba4d083dda566d35ea61123fe14b1163a76a9796906754
-
Filesize
7KB
MD5a8728b914ecac62559db6a47c9b8e549
SHA13279f82d3b717282e3234e7b336621e67877a50f
SHA25644cd67097233843d6468ca643d13db18aaf059be38a73d238e61eb5213161b7a
SHA51213093ffb06a38041cb70870d25c94337fed6ee9b5ee46e40e8d352993770fdf8f04ae58e105d24be8f6a1f69e298a0eb8b5f1f946cbaed9357b0d0b05b305635
-
Filesize
6KB
MD5d493b3c3e701b7fe864efd3111db85fe
SHA1113f0eef899942c5c86b753c9f2420d1bdce63b1
SHA2568736246655dfbb134c59450181b2127e025781f7317a782480b8dec93bff3a8c
SHA51252b308c854c4490594f9d7b7e4dfbc5e50be268dcfac19bfafd34cfa5745a271a0c32e9d440cdf4a4a40383276abe02fe36fd99a1b86d782c6b3295f37806b8b
-
Filesize
1KB
MD5e478cfe67c9438bf9ea2541de9e5a316
SHA17bfb668307c824e0a86323dbca72c4eb4a90a26b
SHA256fd16c20363f861a75354fce18874cd01b9c2acaa81130770da1d81d841d08156
SHA512f39d213bd20f2133294c129d28ea6041e2662f6e822bc024bf70ae5aa6e2016794fbfad71ffcd0ffed64de791a80b8bf5be5596f2fa6760b0c81342eb6639b1a
-
Filesize
1KB
MD5d65cf7c4dd6264f840b6bb8b9ea389d5
SHA15e68d8fd3195d5dd03485a2ad316bb3f6ebbd36f
SHA256238de63d0efe9775dc65ba6cfdba0f431086fb19d53a0cc72ede5a82d1fc1ed4
SHA51256a509e7a74017c49113ad2c50f14f39553a5d71271c6cb6852bb6ecbcb7c4db887b21a1377952e01dec39f7fa65c2f8dbda55823e10202e8f2e703bafab3068
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a69845bf91352a83784bd5fc0b9b3009
SHA1d572e37c4b3a4e29bf477943da57b0f368de12a3
SHA25638d5f96efafd1fe250636e4b573eb21b217201262d67276b073d2db526d17ead
SHA5121c62a4142267bd4d7a4052da600ab0cafc133c8fc94ecb493d31510ae8eeaa781719110753ea135b2e62a6923894bed876548e6b13300d506c81ec3ba5607bc9
-
Filesize
12KB
MD55415e4a70c610b6dfe8e0f31915920af
SHA1eae4caef64ac565f6d8bb21f6c527435ae3a1be0
SHA256a9a48ffcb9cbadac5e56280e848affdd028e2d6831e4dd9c4a7829fda854b82a
SHA512d4fd496fff9b011d2f7e07e04872620b69f1fe9770a0975b0b30b73aa29e3705c953af159d2bf1b6a83eda8442865a776271c4507e095116bc6ecdf7bd5e4703
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4