Analysis
-
max time kernel
53s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 01:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LocalAlloc/NO-ESCAPE
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://github.com/LocalAlloc/NO-ESCAPE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4024 attrib.exe 716 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation No Escape.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation No Escape.exe -
Executes dropped EXE 2 IoCs
pid Process 5620 No Escape.exe 5728 No Escape.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 62 raw.githubusercontent.com 63 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg" reg.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files (x86)\shaking.exe No Escape.exe File opened for modification C:\Program Files (x86)\shaking.exe No Escape.exe File created C:\Program Files (x86)\hello.jpg No Escape.exe File created C:\Program Files (x86)\hello.reg No Escape.exe File opened for modification C:\Program Files (x86)\launch.exe No Escape.exe File opened for modification C:\Program Files (x86)\mover.exe No Escape.exe File opened for modification C:\Program Files (x86)\mypc.exe No Escape.exe File created C:\Program Files (x86)\date.txt No Escape.exe File created C:\Program Files (x86)\ No Escape.exe File opened for modification C:\Program Files (x86)\hello.jpg No Escape.exe File created C:\Program Files (x86)\launch.exe No Escape.exe File created C:\Program Files (x86)\launch.exe No Escape.exe File created C:\Program Files (x86)\msg.exe No Escape.exe File created C:\Program Files (x86)\shaking.exe No Escape.exe File opened for modification C:\Program Files (x86)\erode.exe No Escape.exe File created C:\Program Files (x86)\hello.bat No Escape.exe File created C:\Program Files (x86)\mover.exe No Escape.exe File created C:\Program Files (x86)\ No Escape.exe File opened for modification C:\Program Files (x86)\ No Escape.exe File opened for modification C:\Program Files (x86)\ No Escape.exe File created C:\Program Files (x86)\erode.exe No Escape.exe File created C:\Program Files (x86)\erode.exe No Escape.exe File created C:\Program Files (x86)\mover.exe No Escape.exe File created C:\Program Files (x86)\mypc.exe No Escape.exe File created C:\Program Files (x86)\mypc.exe No Escape.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language No Escape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language No Escape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2280 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 588643.crdownload:SmartScreen msedge.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4148 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1928 msedge.exe 1928 msedge.exe 3800 msedge.exe 3800 msedge.exe 3840 identity_helper.exe 3840 identity_helper.exe 5500 msedge.exe 5500 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1476 shutdown.exe Token: SeRemoteShutdownPrivilege 1476 shutdown.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5728 No Escape.exe 5620 No Escape.exe 5200 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 2228 3800 msedge.exe 84 PID 3800 wrote to memory of 2228 3800 msedge.exe 84 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 868 3800 msedge.exe 85 PID 3800 wrote to memory of 1928 3800 msedge.exe 86 PID 3800 wrote to memory of 1928 3800 msedge.exe 86 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 PID 3800 wrote to memory of 3040 3800 msedge.exe 87 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4024 attrib.exe 716 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/LocalAlloc/NO-ESCAPE1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af47182⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:82⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 /prefetch:82⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500
-
-
C:\Users\Admin\Downloads\No Escape.exe"C:\Users\Admin\Downloads\No Escape.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5620 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4B4C.tmp\4B4D.tmp\4B4E.vbs //Nologo3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\msg.exe5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4024
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\launch.exe5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:716
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s hello.reg5⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4148
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 15⤵
- System Location Discovery: System Language Discovery
PID:3212
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:5176
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f5⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4672
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 15⤵
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 25⤵
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f5⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2280
-
-
C:\Windows\SysWOW64\net.exenet user Admin death5⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin death6⤵
- System Location Discovery: System Language Discovery
PID:4840
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /t 0 /r5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
-
-
C:\Users\Admin\Downloads\No Escape.exe"C:\Users\Admin\Downloads\No Escape.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5728 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4B4D.tmp\4B4D.tmp\4B4E.vbs //Nologo3⤵PID:5972
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3244
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3900055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD5255a8e245b6ad378558b90cbe3dbc3d0
SHA16eb73f9f2034c113a2a6b1aab9a440a21928cfc2
SHA256d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9
SHA51267e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf
-
Filesize
1KB
MD5b86fddd2b764f079615be5d4dc3e158d
SHA12510479054db1fe52cc2dcd3c7033d91204cb367
SHA2562b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091
SHA512915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63
-
Filesize
110KB
MD5057ea45c364eb2994808a47b118556a2
SHA11d48c9c15ea5548af1475b5a369a4f7b8db42858
SHA2566e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836
SHA512582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760
-
Filesize
3KB
MD581427e9d5d10657b9edffd22e7b405bb
SHA1f27ab62f77f827dbb32c66a35ac48006c47f4374
SHA256bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83
SHA512b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592
-
Filesize
92KB
MD5b4acc41d0e55b299ffeec11a8a20cf08
SHA1bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa
SHA25634bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42
SHA512d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794
-
Filesize
9KB
MD5331a0667b11e02330357565427dc1175
SHA1d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2
SHA256fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431
SHA5121c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f31b5b658fa6e9986dc2a400514347d0
SHA173e6b96d7838af53f7c68b6a90b9e44ca9ce6bdf
SHA256a16ea0ac854ac8c5d4f9f3601e626407fd48d703da579fd371bed16699f07960
SHA51222693530731ef40d118fe20d645a5ad9155bdd6526b5f68c61647c66faecfd032189490aa4f56da036cab29ceac76fb33e3f5a11052dbd8282368dec255318b9
-
Filesize
5KB
MD526b2d087f718f7aead380e8448c6af54
SHA14ad1fce6451c3c1576e367662eb02ae5fd7950b7
SHA2569e438465f547a3c13ca9ecc123953058ca7362092b1279d3ce7a7f6d99b2e5ef
SHA512786debdb01751caeb5d3ea6040905f1a1a34d8d301642d3e13bae6e8e5b6d5c82681f46e35dc0f57dcb45b881cf232893ee47169909de6e2b6ee42248275fd8c
-
Filesize
6KB
MD5a01dc4ce7c3c25ebc32d860166fc69a4
SHA13f553c671fb7401460a041e1f7020f501575ab31
SHA25663c220d42d0abf4499d1ae39e8f93b0418d15437644eef79e342c3024a5fc119
SHA512be9b9f83e2377269ec2d27d39612cdde0ba98575407c4e0a19a1df9cea2946693fb629ac627552beab62e2a4bfd63614bef8efeb9a787c5de14d0ca24c482c3f
-
Filesize
6KB
MD51b77c25cea49b772e7a71d1b59e3e8e4
SHA19857cba5716d9a66784519f242a8403a2b9c4c18
SHA2567177a3c7322e1c7f87e4f053800990bfe72b8d37bf90e1a1c7569f3315d6d967
SHA51235838289014ca60c0341933f72b669c518d532488aad498e5ab9154b258feb119b68521af316ee8be9812d958f6c5b726fc89f8edfce17649290626e5c0162ab
-
Filesize
1KB
MD52f7520878aaf2e9eeef99f5163b11ff3
SHA17c253ab46b8d5480bc1369b535c7240e3965afe0
SHA25614f1fe7a3b000f4463298157880bd50da0b74308e2aa9df6a5ac9629af40d0f2
SHA512f725a5769236eb109c374369723dbcdb4521f3928701c436fb1efb35aedb46919fba1399b57ad02739d29650f1d5aea2fddf9c3f46ddccfa0fad7b92ba67a44b
-
Filesize
874B
MD563f17f20e9922429df3df02d46bbdb40
SHA108b702c1207c1d706d69b8386c8e616fff30e3fa
SHA25634f101d5035d2abf1e02423ecb866e8719fafd7fbf940d001943e546f23d57c8
SHA512ed9bb7db9626e0604f36718a60722ad9ce860cb8f6b2bdfec844dba060b0cb1e247cbcae407865829604f03344bf6140fe7893e4b407ed6a8b019f141ab021eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8a82a06-2560-42ba-a927-ec4c4b21fed1.tmp
Filesize874B
MD50e97d973b820863b3967f8e1696bd8dd
SHA14a298f8e875ad07f0a549da8951857db48b1980b
SHA25625072eb41f14268775cc3308fa3de9af0fdd9f6a2e02dfad132f9134000b6635
SHA5122c388ee246b95ef48b9300daec471b4f7095a36f76e85f93a184a34618acafe8d196cbe577ab6d955a270ce653642d807bd541466f1bb4eab20e55065408e5fe
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a3fc8c08fe242005d89190660382c122
SHA1bde5065ff57451300e0c459f1b1a1f219db03dff
SHA2565d63b8b30e14e706b9e00a93bb3b520995ed998f4ebc684cd836c6c7fcb9ba58
SHA512838577c2bd404f377a0d96be195da0378269cb098815a80f0c792510503208417d3c867090082818c3a30625e5a7e916fb9969fa11a0d39f464dee269a32a579
-
Filesize
11KB
MD5a83268062c318d4a6ce4876fd357f7ca
SHA1cf2e461bd94c388537ecdf9bb29b916834e5cd70
SHA256e79fac0fc851e6eb9ab009854cba74e8697afa7bc18303466c8ec1b8a2fc3a8e
SHA5122956dbc00d1994b4c9686613f22e39cb63ee44e5c663ef78e62b21330f0710504f827672d22e20d1cf152a1eb15ce5236f04561d407dfbb77826ab8ae0b7fb34
-
Filesize
588B
MD567706bca9ceaba11530e05d351487003
SHA13a5ed77f81b14093a5f18c4d46895bc7ea770fee
SHA256190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f
SHA512902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598
-
Filesize
771KB
MD52782877418b44509fd306fd9afe43e39
SHA1b0c18bdf782ca9c4fa41074f05458ce8e0f3961b
SHA25656d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b
SHA5128826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86