Resubmissions
21-11-2024 22:35
241121-2hr9lsymbz 421-11-2024 22:34
241121-2hb8dsymbv 421-11-2024 22:32
241121-2f212aylhx 10Analysis
-
max time kernel
70s -
max time network
73s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-11-2024 22:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/roadmanlazer/NoEscape.exe-Download/tree/main/NoEscape.exe
Resource
win11-20241007-en
Errors
General
-
Target
https://github.com/roadmanlazer/NoEscape.exe-Download/tree/main/NoEscape.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2996 NoEscape.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 32 raw.githubusercontent.com 33 raw.githubusercontent.com 34 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0" NoEscape.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" NoEscape.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\winnt32.exe\:SmartScreen:$DATA NoEscape.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier msedge.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Mouse NoEscape.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Mouse\SwapMouseButtons = "1" NoEscape.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop NoEscape.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\AutoColorization = "1" NoEscape.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe:Zone.Identifier msedge.exe File created C:\Windows\winnt32.exe\:SmartScreen:$DATA NoEscape.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 698966.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 669694.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 181835.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3256 msedge.exe 3256 msedge.exe 2776 msedge.exe 2776 msedge.exe 980 identity_helper.exe 980 identity_helper.exe 1476 msedge.exe 1476 msedge.exe 3360 msedge.exe 3360 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1412 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 4068 2776 msedge.exe 79 PID 2776 wrote to memory of 4068 2776 msedge.exe 79 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 796 2776 msedge.exe 80 PID 2776 wrote to memory of 3256 2776 msedge.exe 81 PID 2776 wrote to memory of 3256 2776 msedge.exe 81 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 PID 2776 wrote to memory of 3752 2776 msedge.exe 82 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" NoEscape.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NoEscape.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" NoEscape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoEscape.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/roadmanlazer/NoEscape.exe-Download/tree/main/NoEscape.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff997e23cb8,0x7ff997e23cc8,0x7ff997e23cd82⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 /prefetch:82⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1172 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,8713057779128842946,15945507912377007015,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:82⤵PID:2684
-
-
C:\Users\Admin\Downloads\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- NTFS ADS
- System policy modification
PID:2996
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3316
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a16055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1412
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
666KB
MD5989ae3d195203b323aa2b3adf04e9833
SHA131a45521bc672abcf64e50284ca5d4e6b3687dc8
SHA256d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
SHA512e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e55c30135f52e456687f0e09bf549dc1
SHA18b032ae99a2c1e4f4f5562f44f2516f5909ddb78
SHA256b0943a8597c167a177657145cddb88901e067043db2ee0c534e5b4ea2192c159
SHA512354ccc8159ea12eddb44f269d692c78fd0c3f7686fdb8f47ff30c20e2594379cdbb83f31f58c2143a696d9a1ea3c8e7d9cd71eec12569ecaf68c651202b4b1e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d4d17c544d3d518a0c6f47120198c1e0
SHA10316e3c7e0259148a38825e97619a1ff03e20eda
SHA2567b759f009ceb6a24e8e47eecb9c49394e944bbc817b51231732f3054c0826b4e
SHA51233e84a57703df53dead6c1ecd727d3509fd056183b11ca0f6314f92a03b7f0a806f8a181df4270c42ce193e2a8e532ff4bf597bc1dd7c6650f96030425611eb5
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
579B
MD50a215e77048a147d5ca6a0f085a6cbfd
SHA18d4abdcbbcd3dced499301ee4398952285ebd9ac
SHA25681bbfe3f5fb2f5d99a723db8d227299126998b0a3f5658011c7b626bafd305ce
SHA5126dd9741242244cb55cf2f9c59f7f9fc73ed8df53810beff13407cc7a27992b30591df5f5c4eb9dc6327369a9483f82e069578c2c18790caeb4e54768665f9b49
-
Filesize
5KB
MD5a1d1554ccf851114796b76c62a14cd79
SHA16c56fc019e7a1a444b4740312fb9fe464733fbfc
SHA256e08435fefa3ebaa837badf285842355021060fe3a8e8f83b2d0f8caf2bc39634
SHA512b3eeaab08056a84b2cbb98eedb7f06b481248bc2e26fd3cc1d4d715358a79b117a50a5acd1e78445f36b3d7610d1bd777cd14f486dd3e8c128ec7eaffcd97d3b
-
Filesize
6KB
MD5e4b2c58d63c5e8fb8cf642ed2a2bf673
SHA13b176ce9ef621869fad79835c3bcba5034b76d15
SHA2563d4e925f9e40b87f223584608a83bfbef023ffe432116e83b6c8f6f5db20f73d
SHA5125e679f87654bae60f557194f1f27cdfeea23ce2c60ed3943270ab5b556153f8f62ede7acb1df640dbe5168bbc6a8637744fb0b2a201415536d4d4f0e2b4cdf41
-
Filesize
6KB
MD597dcbaf3957c59c14bf6d9875fac41ce
SHA16a0a0678bb51c846f22e8c58b2d14d3d1992e815
SHA2562bedcb8cd307e970486ac73aa06953045adb0adf0e4f9412a89f08180729ccdb
SHA512d8b88f64d0e424f071c8b8245520ce5e378d1518b016c97e8e5c2e0e0b337442b2f0afec3a610a969cbb924f39ee09da147d0b7b0b574e70e17ddf5cadf51c15
-
Filesize
874B
MD50200d7b0a453c4780368b5de452fed01
SHA10898ab7ccae1c6493e3608d25c2f107f58e918a2
SHA256c4c13aa7de07e939b44b35ce69373772a83c9bff343c476147925d6bd9e8e888
SHA5127fbb6ae468162c832e26b0a384bf26ee6fddb000ebf4561633ec4d9576c01a7f599641b7f4c15a8e76e3eee4f186815709b499b500e9bdab7c11fdd25b3b3c4f
-
Filesize
874B
MD5dc1af33384a2b419b230442f7fce1381
SHA14ea131dcc0e16fd94f6057aeca726e4eb44b8a67
SHA2562c42c78887e063f330de400e5866636a53ab75f200b47a6974f133590968f7ca
SHA512931fc39fcc7ee983dc9483d32ea3dda746f1de5d0d4671770b930255c92b434b6ecdd1c60576747ee9b80e1b6389fa653479fa34c7d4d04926c369cc6779b2f2
-
Filesize
874B
MD53d907546c4b280af538fc4adf508de38
SHA1487b17af41d0ec6cd55b53aed7414c343422801f
SHA25606fe52b715bb8e2fc4241596de8f2140141cd0b407a79d49a0ba644968c74586
SHA5126133f64d087fe5cb179234ceefabcb3408c1cd1e79ccd9e95d1011ff366df0c8e4b100f0315e5744dd1f369b8f15ec37e03681f72dfdc7761aab31f5a7e48fc4
-
Filesize
1KB
MD578ad86338368d89fda86a3bb5d419251
SHA159ffef975666a918ed93818411d23a344779052a
SHA256024ec0a5240b14590bee70ed0287d2d840b7857248eacd7f62829a55d2a78ced
SHA512fb4fd90a322ed3d2dce0b0f8b56a81da9d3e3d5eed10b8d6357c995d049eb2e4179e779d4bfda390b21cf377646cb94cb6cc94de9a54eab3f1d456b3d6fbc69e
-
Filesize
1KB
MD560e1285a1d396d83a39c47042b2c911d
SHA12d0ddb2a2906364b68d930f9f6c448a53e56026a
SHA25621df0c37369c8b1cc4b2526f2204171b7aaefaf5f4513e16efc943f2b5038554
SHA512243a30a3fa92c65ae7892329fea80688788b414d8037706668be07181ea97c48f362c8cf8ab02da44744a752af4b87af071c3de3d98dc6216a1b365ba8fee1ac
-
Filesize
874B
MD58950b8b49056539f5005287e73c46fd7
SHA141a3ffda77ee9c5424d62a345d39ef90f814ddcb
SHA256b866bc847635dc7ca63711469636cc57e5e56ae3dff7be257b67bebf5babd45d
SHA51291a3c03d15a85d2a58a5e92b351bda20728cdb211c2e28153116767d5368472dc5890a12ac756faa10b1e8f0a38e5288d1a09fe8271cd54da82419de01b1369f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5e5c989bb11d48d6be31b24d28782e040
SHA139f8ef6784c81cc523b67567054729c4ee4fbe92
SHA2569ffb7669458da8fa7a7170b5b2bb7ae0495d06254a8c5855a64fd3829cebf454
SHA51235a38fa4d995be89fdece9cc32d4dfee530a983f1b288016ef7eb44c8f8028f8e31a81c0dee9e3de79734cdf13f1c9586ff075994e96081d63a3e22ef97b277e
-
Filesize
10KB
MD5e67e1f9c4f9fa3024d6679d521d6bbdf
SHA1f8943fd2ac0ec8581e18bf3a8a745e51bb85f7c5
SHA2566196d1a389cfd88920d86a71f9f29a88741176cae48279536dcf9f79f65fc6f2
SHA5124c15710d3ae0d5e9b5ba5dff880443ea026ad84dd399945fbb690a8d0c4ac729a91ab63d52bbf90c44fae61ab55a08fe7a568687f5b6bfb9dab47c568d73a5bd
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4