d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245

Resubmissions

13-08-2024 08:41

240813-klh2nstfje 10

13-08-2024 08:34

13-08-2024 08:31

13-08-2024 08:22

13-08-2024 08:15

13-08-2024 08:11

13-08-2024 08:07

Analysis

max time kernel
57s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-08-2024 08:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

free-vpn-3.2-installer_96-miv1.exe
Size

1.7MB
MD5

2798a45b6137fdc262bc01d6c13a2c7d
SHA1

743587eb5afd358591146b8222d2b97d82cb9d1f
SHA256

d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245
SHA512

4c8b70261ec5fe915b2c3dcfb6ff644873adcf0d8abb1ba83be30eb600bf1c7fbd6bbd5d0730a610f129e3492517e7cd77e882e9f7b3bfa214e73bfbd361be1b
SSDEEP

24576:W7FUDowAyrTVE3U5F/XkbjztjfSKh7P/1Ks6vk9XpSwR1HNmJrFxgzUsYz:WBuZrEUcztdqAXpSwRWNQ9Y

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	free-vpn-3.2-installer_96-miv1.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-6179872-1886041298-1573312864-1000\{985DD1A4-A0BD-4015-9CB5-5EA1F7B75A06}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Windows\winnt32.exe\:Zone.Identifier:$DATA	NoEscape.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
996	msedge.exe
996	msedge.exe
2052	msedge.exe
2052	msedge.exe
4256	msedge.exe
4256	msedge.exe
5020	identity_helper.exe
5020	identity_helper.exe
4168	msedge.exe
4168	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe
1160	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5236	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2648	2988	free-vpn-3.2-installer_96-miv1.exe	82
PID 2988 wrote to memory of 2648	2988	free-vpn-3.2-installer_96-miv1.exe	82
PID 2988 wrote to memory of 2648	2988	free-vpn-3.2-installer_96-miv1.exe	82
PID 1160 wrote to memory of 4368	1160	msedge.exe	89
PID 1160 wrote to memory of 4368	1160	msedge.exe	89
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 3940	1160	msedge.exe	90
PID 1160 wrote to memory of 996	1160	msedge.exe	91
PID 1160 wrote to memory of 996	1160	msedge.exe	91
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92
PID 1160 wrote to memory of 588	1160	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe
"C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\is-DD5BB.tmp\free-vpn-3.2-installer_96-miv1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DD5BB.tmp\free-vpn-3.2-installer_96-miv1.tmp" /SL5="$502B6,837551,832512,C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb476b3cb8,0x7ffb476b3cc8,0x7ffb476b3cd8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10128078980009118369,16435761932722451458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"
1⤵
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Modifies WinLogon for persistence
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa398d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b296e0c166d23358b74449b2f4e2bf93

SHA1
1d2464350d5d2b11ca209aa39f97260bc7ccdb07

SHA256
5da5bdfda8e76ec2b6ac7bde71a781f5b2b23634b9a697c985b1e63fb0f01b17

SHA512
5bda0b9acd22198b751a16019ca64310f6342ec48b7e41f3f887a8fc20deb5fdb2ef887af65ed367cc0fd5c54fa8725b9c19070f2afe981cc1262f777d4938b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56c46a32066f8ab3ad56571284131013

SHA1
1ee6f910599c568dc270b5048715946640be29a5

SHA256
656f9068f00fa21ea12c589990dd07cf824d49212639305f6afbb314da389551

SHA512
33ad583d92698b8e5295e71acbdc3bd71fd38b30b0c01d74a383a2dccc8e5ec0af0400fc6ef6440326b988a5c710b52eb9c24aa01b304662aa55aabfcf692dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83cddaa4c2e1466f02cfca1f3f3c7efb

SHA1
806a549cf6049bf67d39398a818eb17f3cb87190

SHA256
50b12746411d0d618215a2aa62a3eec98efdfc133021f90f479131036870672b

SHA512
2466cd5b0ba78d96bec2cae65e83880adf59e73b66644e4f63f0d7921835d6aca48f5f1584702db654746a64669a5a4a6e8fdf2005bebcd1ec3f28bed9aa65b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
444b8efb43b6b3f99324629d91b9269d

SHA1
ed692a09b5a1d9051b8aee534fbafdcd5c782551

SHA256
ee34a72daf455caf96093b8b98af92ef7d5aafb7ed7b143794fd0207565f7f95

SHA512
77b1e5d147da91dac9d94067d37bf4c144f8a4e91d5234d04a15a595564edf3924b3e68746a92021f5b35b289ea32e8ccc164973375372963225e68b58cfafe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf5939d47efd1beb7c377c0825086d20

SHA1
e8ff9ae932d021ee264c042841cc24bd8612337c

SHA256
922d9ab4038d25549368c26e7a7bd5fba28607ee6d6d911c8f21ff875869a5c8

SHA512
312fbc044ff8f9a02b7afa1c96f3f5553fad08a5c91b4b2072ad79f70b1a115dca583afbbce6c21bad1ec873d56438afcd703fec16108c604b07d341d6c44ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5831c9.TMP

Filesize
1KB

MD5
ce9ab63d03e8c3c8bf4b3d1bff5f9a34

SHA1
13939dd35d947211efcfab91d4779e719eafec56

SHA256
274fee9d95b7f651cedbe11b1f34b3e1434d06183db3a780096e13df311d5f34

SHA512
60e231a4631fb892c30da666e74fe15b0211293b178a4f82ca9e66d9d0a5475a39a22bc04f7673aa8193a5bb53e1f5bf39b22be6b13a911bc866648067bc16a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2b07b1a61889e8052ff9e63fa0dff2a

SHA1
1b678857478a25654a0abfc4a2ba281bf27658ab

SHA256
0671bc2e7088bdbd705b1a5d8f7cf7e777b3e4fccbc13536e409a41c174fc160

SHA512
661853ba943615aa4140de1444c2ed7ce65be5c5a3339dcfde35085a3c789e4e81233a257ece2c8ebbb405fcee5a91f84ec1367e10bd96c430bfc15a72678bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
06e842123d4ece4b010315bfb187a0a5

SHA1
8f0b8d7c4c3ffd2a29f21aca4b11f3f8102e11c8

SHA256
17e19e9b0889372cffb09cba0845c23f7e638bfe02da1c4d0ac14681388aeb0f

SHA512
07a02afee442ca7c5b115acc266c4888448f63d920a4da330302059695932408e7840175a9390654167da3d27ce3cfc37aa65702ab629331a17ef5ee3dce88c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DD5BB.tmp\free-vpn-3.2-installer_96-miv1.tmp

Filesize
3.1MB

MD5
db28fcc0fffc6630fe26b980989bcef7

SHA1
5df0b8072c9d6e5eb5f60300ff021774c03fed4b

SHA256
03f35384c001acb1a19371cfc66afd98507b1ad93b4b20cb530679c64b2a8a86

SHA512
e323d28d5e7b8b37a545f52cf7310edfdf6a3c5a3ce0d7e2a2e37ecfc5b72de9c39fb9db177d5420dd16503e4d39a04b59d55f0d84132aa6764349444859ffc4

Download Submit
C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Public\Desktop\׎リ⽼␈₦⓽ᓄ൹ກ∐♯╙ᦄፌ℧ദⳒᯟᵌᏱ৏ᓞ∈ⴵሥ൒⭉ቸۆআᴩ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2648-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2648-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2988-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2988-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2988-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3904-379-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3904-557-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads