Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/10/2024, 03:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
Resource
win11-20241007-en
Errors
General
-
Target
https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Loads dropped DLL 1 IoCs
pid Process 2692 vc_redist.x86.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier msedge.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3344 msedge.exe 3344 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 3132 msedge.exe 3132 msedge.exe 4568 identity_helper.exe 4568 identity_helper.exe 1020 msedge.exe 1020 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4364 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1172 wrote to memory of 1720 1172 msedge.exe 78 PID 1172 wrote to memory of 1720 1172 msedge.exe 78 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3388 1172 msedge.exe 79 PID 1172 wrote to memory of 3344 1172 msedge.exe 80 PID 1172 wrote to memory of 3344 1172 msedge.exe 80 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81 PID 1172 wrote to memory of 3848 1172 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Sn8ow/NoEscape.exe_Virus/releases/tag/1.0.01⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb49a3cb8,0x7ffdb49a3cc8,0x7ffdb49a3cd82⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,16331303875935804944,2736099355061150947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1548
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4464
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4208
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{727D9E76-0134-4C8B-807F-A3777AA2E478} {24680658-ECD0-4040-B139-4BBC950FB41C} 43922⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2164
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a17855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4364
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3664
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD543863ee837c06c137d7f6f3fadcffb5b
SHA1e0f506f6e681ce5319b8220d65814c1bea3a3432
SHA25682e0f02cbcc2beca3508db69be2545746f01a5699c766102c60c1305dba4eead
SHA51203468be60819ea1d770acba1f4e3b8f7f39802cf926e90e42bca9443388777fb15bfc95dc2e9799099cb6c0bdc5312ddf3f587d962531cc9a226ebf16707381c
-
Filesize
6KB
MD58d29a1112aa15832efe710c68b1a7ea7
SHA1ea40baffa7f746999b11a2e103aad06a9130b069
SHA256b5d8f5e306a689080dad79d9f4a13d329c4cf5aaa57cf1bbfa151e819ce95cc6
SHA5129b45b8e135d7090ff58140037808c35c8530b7d64af6b436e2139e7cec1b1880b9bf45fbf6726e2c196b6d967796a05e2bdbe713c42ffce5c1e1ccda599dd7f6
-
Filesize
5KB
MD566cc17a7d3f382fe17e9341cc5f6eea0
SHA1bc5c1278387379e8d96f7da67d3f6114373e2860
SHA256820afea43d0417d9d9d99578dfa6fd8f9efa3ed9d4ab2560ec57811170dcc5fb
SHA512b7c7ce7d70abf783a3cf1fe46810250e6e23ee2b3e962c630fdfaa36db70d7f8fc748accd283577f4c206c1f102480375b83c9fb604fd0f33644747f7d4e49fb
-
Filesize
874B
MD5785297883cc36418d911cf0e37fe2285
SHA19e33854fbaeb1d203b93ae5261fe0ad2a2e245e2
SHA2564335a5fdf1d5f2cb4348251ea34577d9f967da92cd18d5fc2e5b43f5edd58210
SHA5124a71086a2631c4460243f7dac459974ed55fa067d7d706e812574c7b24b1c8323f88deffe49737aa4b8e421cc92240013966c94dc7597aa3b54afb5e99ba2fd4
-
Filesize
874B
MD52c2064637032c0cdb3ef09669e0c10a8
SHA1b04c800fcdb2d12972ca3a3d189f412ede60a8b2
SHA2566f46b9eabecafe41ca2a860dc852b98c9df1dc90b660440ed3a49441d0548d9d
SHA5123b0bfdeb7584ed28284b6b08a52c736a74fdc80e8267a30eb3191afc52795203f68d890f315c4c06b49da6d7e51979a1e5d8ff140966625bbab3727aa893e8a4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51e3024142bcc228ac36b5d9fab950448
SHA1b8208769b5e2bf6a0ec249007da02beb8f16d35f
SHA256b1311d0737c3f115507d1c97d426f0dc8a957cf9a5df6ef090d6be43ce09cf34
SHA512542473d596320a3f456840c5b86ae637f2dc6f37d39dd5727cfaebaa4f311dfa9680b917ee257c6b88b3977c287d2b9cc97752f9a86ce18b91172b58695d7d8f
-
Filesize
11KB
MD5dbf64876949dba427522de00a9276953
SHA1d3c137277a259c8c7647e6c703fb75a8684dcb6f
SHA256ffea02836358501a604e1a29ae1212eeaabfa95bc5a3d9341efa530733d9ac55
SHA5122050a366c96afbd10c41659228e161d0d8e8f94f4f0697fd10a832031aaeb6074cdc89387a5ac4433b8078efbc58a4777d1ea8c7207390c089a9e0242b800b81
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
118KB
MD54d20a950a3571d11236482754b4a8e76
SHA1e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c
SHA256a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b
SHA5128b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4