hxxps://github[.]com/roadmanlazer/NoEscape[.]exe-Download

Analysis

max time kernel
178s
max time network
179s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/08/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/roadmanlazer/NoEscape.exe-Download

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Loads dropped DLL 1 IoCs

pid	Process
1468	vc_redist.x86.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674455860226245"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000a04834d68986da01a06e753d8e86da01a06e753d8e86da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a4aa36d68986da0198d6bcb735e8da0198d6bcb735e8da0114000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4616	chrome.exe
4616	chrome.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1068	chrome.exe
1068	chrome.exe
1068	chrome.exe
2888	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3688	4596	chrome.exe	74
PID 4596 wrote to memory of 3688	4596	chrome.exe	74
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1856	4596	chrome.exe	76
PID 4596 wrote to memory of 1936	4596	chrome.exe	77
PID 4596 wrote to memory of 1936	4596	chrome.exe	77
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78
PID 4596 wrote to memory of 4252	4596	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/roadmanlazer/NoEscape.exe-Download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa864c9758,0x7ffa864c9768,0x7ffa864c9778
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:2
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2608 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5528 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5676 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4904 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6092 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2900 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4952 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4452 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5184 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1500 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2956 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5596 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 --field-trial-handle=1836,i,14227694884129919825,16286298060609009792,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Users\Admin\Desktop\NoEscape.exe
"C:\Users\Admin\Desktop\NoEscape.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4644

C:\Users\Admin\Desktop\vc_redist.x86.exe
"C:\Users\Admin\Desktop\vc_redist.x86.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1832
- C:\Users\Admin\Desktop\vc_redist.x86.exe
  "C:\Users\Admin\Desktop\vc_redist.x86.exe" -burn.unelevated BurnPipe.{8834C9B8-9C84-4966-8CD2-B1C7BD7A51E4} {620A8B87-CB9E-4829-B3C3-E37C6C2376D5} 1832
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Users\Admin\Desktop\NoEscape.exe
"C:\Users\Admin\Desktop\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a99855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
17a7bb53843aaa4441dc78714453d1fe

SHA1
6b5da495f24e6ddffb71612cfe368724b30da3ac

SHA256
6bac54e2d3e12d5650d56336fbc2a3030411d4b9ee812661400e1d65d0a4e3d0

SHA512
26de18b48f52d82b0142efd1b7b58d851cd2c49070c636de5c0a697f712146ce0d770179a2eccb399900902b1c804c09bff9e6e1f70678ca3bcbbcd90a49c675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
60a2712faaf77f9506fe36cc4cfe4e58

SHA1
bf6da7442bcc14d7ffb7d42da69d01bc1f2bb996

SHA256
26e365ad9553ef38aaad06a7b222cf70f21095bfd6c2444bdba0b723ad052875

SHA512
97ead35800ed48701f1799b055a33ed9efd1a9e92a7cd96e1dc00d56c539bf6fed50e8b915c8d4c1077a935f933c8083c28a5450a986a92c6f2c06b314604c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fefba24f6c69295c69a4aaea4deeff6b

SHA1
109d1abad444feb98457de0ca21330934411c581

SHA256
a1b58b21a9b0539a372a29cddd1b3b7cc429431a36112dfa4ac03e175da80d89

SHA512
3186446d714b604297fa4e38e1fc99558bf7d33e97124092a6956f8b844532ae0668ff8083738af359e26f7f40182b502232f45315601578173fa03a2a5746bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
bfe00c1ead4d90970b06de44de7d3837

SHA1
1647bbadf393b442d755ebf2f1019d164190ecd9

SHA256
5d0b9604452ca5175cdd92da481d0d669d46549d550bc064077ccdc736cda857

SHA512
2638da0e598d312171e7167d26cd1358f90439c74fb3c70fb70c9f96291d79f6739829e5b86be5b7b90e56d6f9133506dc319ad8d8b84dd82b800a82609cb0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
5aba602098e7e4b3cfeb7cd4612e9e9d

SHA1
36fddbd0a34bb23f78a7aee1e1320692d00c924a

SHA256
8055144abcbb958550fe4dc6adf486b76fcb22926343647c1e3773a26b4ed6c7

SHA512
d31ec1ad488c2bae24bb58dd9b617b1338f5aae96f7ac94837c3c91ca2d11ed03bd51baff53f2b21af283302ee4e3d6cc3ab881b04c5037e70224f9cb281c87d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ab1c3b629fe75cf9e2bf00f987871790

SHA1
9b20a59541e2d5278b745a4fcf3ba7d78bb1239b

SHA256
8f844f57677055fc4c1e1f9332dc8def4e88934aa82df2af7bc7962e54344a8b

SHA512
2d241a8c9d3a352f0de60cd7a35cb5acfc15ba57154f076e1c89737526ce838859df814f75499db123132ba0065ceefd9d3f7d16b69968f2e95dbe2c7eacf36e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
3acb107b76d815f27bb173d93776144f

SHA1
6f30406bce666dffbad12655808b7c67e82a4e06

SHA256
d57564db706bc52db016201e03f69f3055d903da6bff61cd2184b45922c4a2d3

SHA512
9bc3ef79b37aae277ee39305bf949f87d8c27c56d44c290b8e78f420c16c72f4058b5780f89f0c4547b7264e5a4ccaf6ec8f48ac3335ff962c7e972aae685a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d90409b0c7c66aa7ad2d1dc99f1591c9

SHA1
8edb9511d74c419d69f80d347c5f8a6e6c3597ee

SHA256
1360c18c25d34d05d4453d21d949938f26229f9fe2fe321e250917b631749859

SHA512
371081f3603afbe0e8c8c5527c6d84bb9a4703895508ca825e3b2447b0aa0f122033661cbcab55fba078b172b9c9323f9c939bf18321f47248b05269db7d70b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cdd50c1b8b10515b84901afa32998d12

SHA1
462703c83c2c63600d76bed64378372dc77590a0

SHA256
c9a78ab82dee689b3a1cddb29768dc0fb7391bfaefb7c622d92ee6a064d8aede

SHA512
8c8f4503034e034e2d2699fc49c40169c8d8f9554f27ccab48bb750f1bd5c244204a59bbaea65359f8b80090bafd1aa2723fcae409c750ef522fe390e4e02f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc553116b51055585b5b8da12114d6cc

SHA1
69a01af39f334d1a4e8172a59b3b55c532ea62eb

SHA256
8afce2f589ebc520e48597ce773ab59c0a53e72c02d8204300d84d27ee80a21c

SHA512
63be75def044adda4da68930dd237ebe078d912d301f425f6e3d7b017d4c6b25dfe27276602c1ba482e20e84088d62fae9a0ab88fbf72350f3ccc91cc24e54aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
85d1993de616235187fcf20288ab449b

SHA1
cf0788c3060a49e5c56241db12d5509aaff58327

SHA256
38a9a1f07537b216877d4c4388a6e51f9b4544207e82edba80b8d92974687db3

SHA512
9ba7971caa7e24c1b1598592c7db95eb34e8d059ff7904b9165e3b828057c84f1b8e8253b9db366f6b7725c2081984835dcd8d94fdfbbb32e1f65c6c0fdf2bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ceb3b9e6cf74c05b323de3bc66e46a40

SHA1
1dbc7fb84b418a9ce25ead4623ecd130817d4aac

SHA256
1a79ab85403199db3f1dae41da73e883b834ac36e930b45305ca1dba908c4275

SHA512
1288281ab9d1c9067b4bbe2e69001eea15b42cdbb4a0112556e78465f540c2f4cbcc366888c6bbd4acd0f2e83e5ee99b4953d97fa3f2365873ad915a4a5185b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39003af706f581a7a3a154e143302220

SHA1
da4270010d116b7dcdc1b2fff65ccbbeb8b14fc0

SHA256
1fb03afaa2a2e27a62ceef15b7480de747f146d398ae057a7422a49c0b95ca16

SHA512
56b8850f970acaea612f3c8c4c6969bdb960b38b3027834f03f15f86b7713e2f3ae79ddb4160150febe7522fa7aac741305aff785d4373874a9bac539f6eeac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
042ddbc6207064b84f73076712cb14a4

SHA1
b87670329b498a726c20bff93ed9017eb5565d2a

SHA256
6fd3dc509437701c5380543a282611eb14416326ab4e5fe43daafe524d0893eb

SHA512
b00dba0dcb0d2e393cd4e3ec6b4d9648705bfd6e779ff89b82dadb80793e8879533fcaba4a7c485c93f072d437f0ebf20e849fd7ecce5fd1b0692cfb031d0a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
908768ca68ed42dbefac642482eab948

SHA1
367f6ab96aad4145dba88a667aa62c356d5d1455

SHA256
dcd468cf0c815bb0200dd4bdc7fa69f6210d9e76983199ebd2b7c611fae7d6e0

SHA512
598a59902d4afa7b6e5ef0da809a944239877f165501503347adb895fe77730366b0be49a11ac11dd3c0404c440ffe12d8b9f02f6b34547fbbddedc1ca31912a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
228ce76391d13c79094bc3ee1083b2e7

SHA1
2545ace1c45163d23797a145c2d32dd01541b9d9

SHA256
be86db061ebcb049972982824b6776878607b603d10197daaa60d5e7fbc19e87

SHA512
22cea58c64bc6a06eb27aef2b63e695bbf5f8fc5efab690399dc6c523f8d752c95dfc84f159077fedf3f6c07143297ed0232eca362dbf576b11c0e3cb117ab22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3f031f0978239c19c5c6d4f2295fce5

SHA1
4bf0d4cf2b044874ccd03ae8fc39da04e8cbbd6b

SHA256
430624571aae03f1be982407ec0558f65734a883e882dc09ff1c515e8caf7a08

SHA512
5381281326e0089cfb1b86a55ce0ddc30df1b11701af6443b5fa5246353fd0a3b952d1910fcb7c2de881ef5df48a35c4e178dadafc5d342797f58b841e43cd8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b705914eda81e5e268d57922188a3a65

SHA1
597c948b6f2295d9a4bb07d41ba4e1de54d55589

SHA256
22993acf91f0690acbaa389ed646c1086b9d31a9c6b4b45f1da5d779d43912f1

SHA512
78ec68af8edf4411fe9735ffed522072deb1fc15869072a6451ed53d9a98eed498d2bbb153e40842c83e5a6fd493b38653882263b50877bce672b6b471bbcae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
113a9d2746ba5ebf9f2d25f6debcd6db

SHA1
15707c504c260ebffd1aa647fdd3e7e85a857a92

SHA256
33115c0d10a660e6fa08605dcd8ea5d8995dd05d3c2e390295579a6cf42609b0

SHA512
11e59a1c3d826b8e45efe1b504636f6e3042fdca36062ce895873dfb6cc99233c4ed801c201e20444d9ae8fd2ddffe3588f22a5284e37c345fa0f8aa16ac2aa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d62393eb4e0f447a1c1c77f568d1ad46

SHA1
0367779bd9251c49f0c590ce15da6dc7c39d1f49

SHA256
2fc2d2cc85b4816be8a9b8800f001ef77d745437f581f14de3ce786e1b76d980

SHA512
58f94db1e1bec4117dbaa8582c0719f105841d54973ba7620eca27c216b53d92cacc3c3b15a8eca6688eeaa5ca2168df9317103308bb3502ec00559ae901c77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589219.TMP

Filesize
48B

MD5
9d976b08bf8d5b1e163c5745b13851c0

SHA1
ed6edbae9fe257f247fc36b2044271cd0c779cb3

SHA256
df36e874e9a1c36fbc703b7ea650d4705250b2ad10509e7bffa44a63fbe013e2

SHA512
e43080ceb3fa2a2365c9e295ff79f68ebda6e6c89c03a7746dc6b03e4fdad93d1e843d2bf5666c70a3fbcb89f5b73b377b50f772425eb5956a5a7517ad62b23e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
ca3d81a22ee701bb911e4a994909b06b

SHA1
aa23d07507df5cec7bba1220bcf6ed57540d0e8a

SHA256
676083e366c736b1c085f68ccefd7ae1e4eb8b1414dbf2800ec7c34a6311cea3

SHA512
fc85cfc2319c7b3c760a0dae28562e4184c97dea6768960b36bb3ae9b81753dc597bfd201e833681d0e28b249997b03d20fc515fc966eb233a48a6b129c51ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b3abf9a9794590458c07bb733985167d

SHA1
8eb01897573515cf9a78bea3b6f501a1f4bcac5e

SHA256
49dcac204ad8fda483f9e6c1e0db9c0543e517fe19ace63ebfdeed9eb7a8b38c

SHA512
3c086d8aa2660876516669aeca04c0ae0c0e629f2db9576e2360953323d80824a889296fd600638f82beabe4b476c8775950ab621b6698a77727fac04ce21158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b8666ffa267ab174328736a2bb1bdfe0

SHA1
e0063eb11f0c4c29e318314a06e4e980f6cda10f

SHA256
d912f258ead5d0c5410568e06ba369b9ad934131e7bd27da5def084a9184df83

SHA512
db419220d1038deac2d62452088bdd2cbab305f1bd0373c2c9b091933cd29a57465a9ef1e9c5bf3b4a8cee8005a3234bece0110ec249c86a632bce419bfd5291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
2ceade7e30728f6cb694b2c663fd6d06

SHA1
80eecce58ce5765cb843b7a3fb90a5d2d74e615e

SHA256
7607b6f56776cdbd97b627dff9b0aef113fe4ee195c13c9c9b1c6f26cffc820e

SHA512
5a9585a1ad2d97833ab318e635ef4dcdfeb7c757af3e665e84d584f1dc81439548594aff5fe8c84b77313dcefeb95d034b05a901fe32205484bcbca7971053f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b46fa1ad19a89928f159401cc70e0970

SHA1
05d1a265698c66f7d20c03e17847e84d3313ff49

SHA256
1c59c7d38632a6ca21c78e435dc13339c300cb73d9028a8a2688457b55c3b0ca

SHA512
46cf6229995db949f0310348c76bbb7949647435134a27ee2e645b1a078cabb9996d20481e0640a8a0b659080508fb172ad8bcefd28a1e447fd871541cfb6e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
55b517f7a03079ca7e8280581ccd9b99

SHA1
d578f108443f75a74eaca2846ffe7b2d739789cd

SHA256
c65dea51acac9d4c37208746254723b5b769738061515a7b067aa8bcf5ba9e6e

SHA512
99df000fcefb02829688fea83b28316d42370edb0d26440b1198830c3720a8e07d7e766cabc50e9efdc2dd28a052e11f821a75dece30bc608e340a2b7a1bc01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587da7.TMP

Filesize
105KB

MD5
eb2175347a6da2b15318801ba5322720

SHA1
020986cb08f3101d2546c95e92df1fc739b11212

SHA256
a24cc262eae3aa1d083da89309f75d1adad7c0d872010587fdbf95f05b444aea

SHA512
2477e0b47ecc0fbc67d1736bbe886601453b3731a3edb7c105aab76ac4c0306ba896f6aba1b66d0603407eae1599caa59fc94cdb49d46dd3641b02e09748e6d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
25c15377d6e417c72b0fd36caab02366

SHA1
c7effcc29d077c9f58975e5c8391715064e8bf5c

SHA256
c0c9bbeeded05f269248f69ac8a1413bc2daa96a32aa7a3b3124318020066e9b

SHA512
8ab082191f593e2f12ca7acea5d829241bd863bc234a78d91af8d243dafff0f317c3f368eb2da41672a0c0700ff3fa0b27f87ccc69a1fa1121ccf6c52bf099b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
a98666b6918be36700653baf02001c73

SHA1
9bd62cfaba5d75fc15d8b7db8d7964e527284f87

SHA256
e7fb1ee01a6f22600a674e1013f6531555dc6b02b612fe72e142afbca41dccc9

SHA512
2e3cb8558bcf51deff3131142bffa2ba92fefe4f70d9532c459f343c63fb6bd330cbecff622cc6e7f40ada26189a19f5ab139f5c8ac85bb47a9ac8966fe1caec

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe-Download-main.zip.crdownload

Filesize
13.5MB

MD5
6da84fd648c8811cc112f4fffe20a24d

SHA1
ba4f8d7fb51ee0a31b068cca51d5e5388c4b081b

SHA256
7b55dfab141eb69abbe47267e396fe8ee6bc4054fc8d4a5d91049b950c7d84aa

SHA512
0ba4c4379b77b465aa13af7ec295a9e7cc1421cff76e735890f46228af2f500202f879468322ad59b6d6ab06710828536ffcddee23093adf82498a365fee6bdb

Download Submit
C:\Users\Public\Desktop\ሡ⛷⸨ᧆ೤ะᡯมஜ෼᪂ᓌᗙၘᆝᦛᯝ╌མຘ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/1320-1026-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4644-475-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4644-474-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/4644-464-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads