Analysis
-
max time kernel
267s -
max time network
269s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/10/2024, 09:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Sn8ow/NoEscape.exe_Virus
Resource
win11-20240802-en
Errors
General
-
Target
https://github.com/Sn8ow/NoEscape.exe_Virus
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\winnt32.exe NoEscape.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726824727545152" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "132" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings chrome.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier chrome.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4408 chrome.exe 4408 chrome.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 4468 chrome.exe 4468 chrome.exe 1480 taskmgr.exe 4468 chrome.exe 4468 chrome.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1480 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4408 chrome.exe 4408 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe Token: SeShutdownPrivilege 4408 chrome.exe Token: SeCreatePagefilePrivilege 4408 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 4408 chrome.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4408 wrote to memory of 1132 4408 chrome.exe 78 PID 4408 wrote to memory of 1132 4408 chrome.exe 78 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 2344 4408 chrome.exe 79 PID 4408 wrote to memory of 3428 4408 chrome.exe 80 PID 4408 wrote to memory of 3428 4408 chrome.exe 80 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81 PID 4408 wrote to memory of 4916 4408 chrome.exe 81
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81f24cc40,0x7ff81f24cc4c,0x7ff81f24cc582⤵PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1824 /prefetch:22⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:32⤵PID:3428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2336 /prefetch:82⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:12⤵PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4432,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:82⤵PID:3608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5076 /prefetch:82⤵
- NTFS ADS
PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=888,i,16092928825805555954,18379789104626304844,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1064
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:1480
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1620
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2732
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD51ed046d3a1cb33b39978e43a7c204e96
SHA15262d5a1b4e53f790b608304558459a82c995d80
SHA2567549d3624e66ac9be415945716013aa7cdb11d6aec5de64afb36e099f2e8fd55
SHA51203f632fa2843d9f6e439ee53d4dca9f30de251d5f3c0983e0d5b7b5afe4a165d2f9280c7b7f224f1dd0fb67c0975b16178efb2ee598d68903bb6885c31f73217
-
Filesize
2KB
MD590ce08184e264197df1c3633f9b2ba0a
SHA18465e4137e98abe515f605d8e08b5a840a66ce28
SHA256d149a4ab285835ca5c0d8cca6e2218133081e0aa7e5f3cc18856eb02751d024b
SHA512232c6a1137b00a7f6b63138c911cfd0e084255e47355d51a673a982bd94340fdccdbc891afb246acc9c2bc082efe1b81c2ae1ce3c030e8793af98f48b93812e2
-
Filesize
2KB
MD5b58c822ca82e6906c908b9c7bab59447
SHA16ed734c53bfecac86d8b382640732a16be82b609
SHA256ab1ff14e3ef05d2a0714949a2378a6d92cbe8b2d54dc43856402a2ea277ce807
SHA512af878d6b07c46c103be88ef4af1a927c0fddb231fe5b2e11153550142f2d5378995d2e75565518aa2b3a763f545471d887679065e97d22687666045602755500
-
Filesize
2KB
MD54fae9218ada1931f6772ceec61f83505
SHA1d35acbd80502c9e77a2879805c9b0dfb28893dd4
SHA256f42ac6aaa4c33315dc93491e9624d420eefa349fa9c637fc9150263024ebf12f
SHA5129c361a8e215a7bbdc6a99b2c5a8054ea04e2f8a6f4632a974b4af00dab34b7ed64fc5ade44914cacd5e0169447868609d40a8142377f0712faec25d9123f8bcd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD560b31f0eb9dc78f535a73b7b10aaed57
SHA1299ca171374b21d9587215fe3ae318013e093447
SHA2569a878d8863317fb4df939fdf8f370fe7862de31b572bc0e30037e6ac5649ee10
SHA512028ea64856d2b64a57d58e54b85873a30a5a1f6e5f270bf59c63169484d7ee7469302be4be0779037ea4454e81929acf3b34669660add934c72130b967963e74
-
Filesize
1KB
MD5940e585dff310daf58e974537ac044e5
SHA1cc062505d423a1ea9adec648f80812161bc25d79
SHA256b3bd57e8c6899b483466d215d49c422ad9906617c10d93a306cd92cda5acdba4
SHA512b02ac025307ccd1c84e7ea0f665147a747d60bd745336d209eaebe0d6cde55ff0832ca02883987a9bcf242d1f0488c611e6784d35e5cd6faffc1d23c46e4e9da
-
Filesize
10KB
MD5ba66e85243843639b19ae2ac1765d167
SHA148ef01aaab3b290171db3a7da37659a80af42fc7
SHA2567a49a3a8ce4bdd00d65cb387b132b38348f6dd9cf0803236cfe20be8ec973ca2
SHA5126aa5b8b8b74863304572f94cacf249eea34d73e1abe2751bb06c685e76ef9ff42c48e2b2456f40f77749fa963fadaf775389bddaaef30a3f82937c55d0b16269
-
Filesize
10KB
MD53adbb05f8d5522f6b3d4354d3c026026
SHA15460c034c8dcf7ecee047baa189411397615e048
SHA2565c739f2ac10736208e9b7abb10c5eff038af9cf89f45e351b30d412f1d96cdf9
SHA512c61ea04134f8157cbba22eaa0868a8fd4d0e7681785ed0a63f4df2b9ede817911b284c697e1105bfb40b97b34ae3a0f22fe0ad03cd810549388e3468e905d33e
-
Filesize
10KB
MD5f1ec79bb63d45804836218e9558564a9
SHA1341caee3ba3909746963f738415e6f1c199d6748
SHA2568d0034b37e06ec3c9ca5850ea8c10fe04de10ec537b4ac6b780e29798d70c2ea
SHA512c94dfcf0a6f8a297831cf9a71875ddcb26d440a8f709a95b721859fc05cd01bc6717caf09fd5416b4e002d5c3db13f0f2acf94fcb5f8f2b883fe85914b572506
-
Filesize
10KB
MD5b9097eb7c549627e41939911768a6e45
SHA14e86dde367e44c51ae8a144ffb77ebfa75b853d5
SHA25680433191d2ed64bddcc3fe78650b8c469673241f4a0819fce1e352e94cfe3701
SHA512dac5779565cbc439d0b675c75bf5b3323020f7259aa5466218a1454c3d8405e14dc236da24418f69b2363d63280d0cd85289bb31700cf42e9144f58f8d7af988
-
Filesize
9KB
MD52a9ab22c7054aad319c9b3559f071501
SHA1ff968736ad573ce76186b2f158930240e448b992
SHA2561de42ae627147993dd095ce16e886bc0cdcfa507984c8ef1767d564887af456d
SHA51289cf4c3b79f260368a24025329ffe95299beda613d79815f0865e6bbf164dff4ffe7566b76d40167f05112156cfef12770bc2a73a51be44d6dcbe23dddd205d4
-
Filesize
9KB
MD50f473212145b995206419fabaac09e3a
SHA12b5fcba51aaa4cdb1b52b6ff78b03ecf03ab3e5f
SHA25680a4a64fea86911c9779508c46fd8c88468899dd24131282428a27db99bc63b1
SHA5129e6de9aaa460bc2fe4aad888651ce1343abc58d4a6ea07222117aaf8f5a1432bc667da214502b2247d8fdcbeeb3a430e4b4c9af92ead4808cf24b84b1210c749
-
Filesize
10KB
MD574170e0f0b1e5546e11cd8f76993d180
SHA14f380c317f0ccf63aac8fcef31f38096dbddc041
SHA256efbb34f9106969c460c5ba89b877610763df1243fdc94b8827ee88dba6545df7
SHA512e762184a887bad94a6761304513394962175e380a49b53b530c7e378817305f9705654400c3abdf3da3c0ca66a55bd6fefbd3014f786fbfbb39edce13028de65
-
Filesize
10KB
MD596c0531548133d95e970aee04fe097b2
SHA1c3c198cc80a662bed0c4b413677d84824f488bf2
SHA256999139fe71e04364a5aae6e43834239ec06dd42c147fff2b2adf9ac565d30d16
SHA5129a68ed5c2a904ead0d68ef79ca64d5b842421819b5609d16db5c6855a47076feeec1724e946ae38e7529b7da2671ce30a490129599d78301d744813aaee4dd48
-
Filesize
9KB
MD5e8dbd2027f7ffe16b5bbe72a75ae5f4d
SHA13f34cafa234f3810b09e80e877036923061018c7
SHA256eb00e87d74789d6681104812d2fc34641de71e412b152532c542e57fd341d251
SHA512314293a57e1564530349b029c020e069629dc738348ea13a9e6631f69e6dea3543d11c647691a505e85c4cc6b1e22296ffb25c66f52f23907843a8404fd7c79b
-
Filesize
10KB
MD5b419dca5bce0ba881e7e21aec1b59342
SHA159e66eab4d656fa41f558a81b36234eedb8cbd3f
SHA2566e402cfd51837e1ad19bd6e4243277bf01e048cfda9d0fb3171e22ddd45b4c7b
SHA512322eb5c205db23d77a15b648388846868ada835109a3a29a184ce53c3b5b60966d1353e22aa54f7ede5948ec4198e8d74fc1f84508793c94f0a36ac895143529
-
Filesize
10KB
MD5b282a11229a322d1fb7173e0098c0290
SHA1fa79bdfddecc0a1eff29b38aaa004d0b9eab7712
SHA2567046f9aecf16a9da4bbb532100288b6aa36ccdda20d2badf7511d95ea5cf7192
SHA5128e4070de733c4fadaacd66f757f95c4b615edbce67475e70eaeb06cfc669fcdf34896375d13d57a1034c37850b78b77d3415cb4cfb3b267beb327e30a415683f
-
Filesize
10KB
MD53d6659c9baf3881548b4ed401341ba23
SHA1439c7190377911dc830dbc91e78aa2f06ba9cf09
SHA2562c185b47a68e42330b95391b6977b020004b93d87accadc552b24687fa2419b1
SHA512e517abfada06ddd2e51a60d5ef1c8248ec98a1c07812dbdeb5f66169420b438a12ce06ec0fdb044a672b69cff2777dbf7ee60cfeebb398097653b1835a787eea
-
Filesize
9KB
MD5008f892383cf0ca1da0643efe0e48e43
SHA1f4f309c5521b6ff838eff707cd212d54e510c0fb
SHA256f28822c23b283020bd0c9a61c797dad6e91eaea1a773f5c438a897d97c5ef4d4
SHA51230d5b70e0f493f52c0d6fc23555e71317c0aec34c12cbe74050fb38a2eead63b08fffbdbc7b05264d48c558a53a8fe6728c4b327faaa5fe192a5436461b81383
-
Filesize
10KB
MD5ec1b35b624ffd518ae54515a5549a530
SHA1f0f0bb6fec147b3929dcafc209165449c1e3e0d9
SHA256c2a3afd063e2dcbdb89d29cec30b1e29fedd404e6e6f5624424e11c5af433e71
SHA512fbcb845ddb95bfcfba34d43cfc6e462a0bd49c03226ec7f73c674c173b1af4d68f7d4583ff5f05fc0a093aae788f9f63d4cead492d02d842d043602a641473b2
-
Filesize
10KB
MD5d49ef5385475d6f460316810a5451ac5
SHA1eb309e6b589effa98fb0deeae6e7f940da5a7f36
SHA256c55d72bc2f115c8688176f6c4be5a4b8da0f2f90b18319e72a73763520ac6a96
SHA512ee0652fff187dec7cb5d4db39652eaf62f84de8822e023fd75e4fb14bd6176657913452f5b08dc624a7c2f9d43504fff3d61cf8b043d33387739bda2a2d27b1c
-
Filesize
10KB
MD57b2c8fa9ba1828fa12723f952d38bf21
SHA1573f14dfc06d8a1f09cf41171a1d067c9e08bd51
SHA256739b2a1f3d9b953166899c1ee6889e4f072a7adc6ac811c481ab0a160a2d15e9
SHA512b6064ab706c3da2796f049cb5ff157f3f1d0d11ff5e3bccbf82ec9ff1239a6db6a5557b42205d9194e95d6cd159c44a3273b36ea49db3498ad223e1134181eb1
-
Filesize
10KB
MD5ebfe54d80c5a176f4df6ccc6d868dfde
SHA102c46a5cf025cccde9407a68660ea35ab3b7b51f
SHA25644228cd76cb61d92cf2d980fdcc8a2efd327049fbee5ceca621402694ee30288
SHA512912fec167aa94dcaa33d963f62ff5bee510ef49605d3818fda99ca2b2a5ba7a5f7d24a078503f986dbae504b809b08ece475dad9ab0fd3e820a15ba0350ae45f
-
Filesize
99KB
MD533542914e91eba9785edb207072bf6bd
SHA1e82e8177b21d0e3a1c24651c5750446fc2cf5bfe
SHA256fafdba9971f133eb0fa60a64afef6c6ff74e89169f83e94bcbc2d45ca2be7689
SHA512b50aaa43395bb3c1a3452214ecdcf87fd1c70446ddd556196125d056427df977a546c8e6b8f545e7babf2ef211ad0466dd09a615cb9eabba77015b5f35edb4c3
-
Filesize
99KB
MD5db2076a039687bc1cfefd370ea02161f
SHA15c72283c00ffe595fe24ca8de3b689fe6b64324b
SHA256d88021949bb367f0bf997b1ae3326f25cfd08380bc7bb264d76e75a832e7be4a
SHA51242e8e5571a954b463dc6c4fe053c568a2a26732d217b09bdd9fe182b7ae9538a8e2cab00b814444099119214fa6482326c48e2c98827c8d34d1d835e43832825
-
Filesize
99KB
MD54d6059f4c5d7fcfb104892bccdb32d00
SHA160acb10153a46e96b8971b9727eca04d88f3b11f
SHA25665c423f613e79d56020b172b6b67ad8ddfc9626d3d3a99830ecfcf0c590532d4
SHA5124f837bcf545d7ba33856fd40224ec46e237c8e2c3d8145e799a6a73d171ddf4ff9ea3ee453cc0d2461594378b7512935b3058d10dd35e38b7e92b094d809441f
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4