hxxps://example[.]com

Resubmissions

28-01-2025 13:27

250128-qp9axssqck 3

28-01-2025 13:08

28-01-2025 12:54

28-01-2025 12:51

27-01-2025 18:45

23-01-2025 19:23

12-03-2024 13:45

12-03-2024 13:33

Analysis

max time kernel
104s
max time network
107s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-01-2025 12:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://example.com

Score

10^/10

defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "163"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe
4024	msedge.exe
4024	msedge.exe
2204	identity_helper.exe
2204	identity_helper.exe
3716	msedge.exe
3716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1892	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 1464	4024	msedge.exe	82
PID 4024 wrote to memory of 1464	4024	msedge.exe	82
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3388	4024	msedge.exe	83
PID 4024 wrote to memory of 3260	4024	msedge.exe	84
PID 4024 wrote to memory of 3260	4024	msedge.exe	84
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85
PID 4024 wrote to memory of 1844	4024	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://example.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffdec2f46f8,0x7ffdec2f4708,0x7ffdec2f4718
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1944 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=224 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18424373677106568426,10745604302123673445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x2ec
1⤵
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3232

C:\Users\Admin\Downloads\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a28855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8fe50664fd38239e8c01b75122cc6b3d

SHA1
36d011ccd6e5ce47ad0e69559c782d6482e6cf4c

SHA256
c7be861be90fd1a2b4df96b30c8b39739d99f945f79d21bef4eb7481358bfb0a

SHA512
f96af6111881853330c9c8816a354faf8946c97cc56e04b0de9a764a40f4541dd4b59c82a8db8c243f059c386e680f8c1f010c34f6da0cdb6fb1fa4de81afd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4fb80eb4f5ceea0a6e6cf355aba0cfde

SHA1
6f40f032047d0d60c5f3f13ceba84dacd3b18c41

SHA256
1ca9a436ab517286e13c6b455eceace5c5ae33d585f75aacf98a2858b0348035

SHA512
9df147f75c692186d90b6edb3dfdf029b01c6d77a224042e00294b4ce935bd709abe46b60a58e4d2ffebf434beeee42d41a1829ccdd38f5484ccebe2633b7f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
328999db87a2a543fd7b4c71d2c4ae4f

SHA1
2df21b7e904287edc6d9b26aa2ffb1aed100c5cb

SHA256
ea3e6adca3e83fd0abd996120702e0bd2c20864bcbd9c06ec47033b5f26e5058

SHA512
884c7aa954b424c16deaa65065eab4d728697732826af145985da336da5cbbcbccdb3339a5d3f3f64b8e839645d0a0ea77b067fc9907a1977b34c1d57420a83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bbb3c990b1ebeb72f4ba06a51c6c29bb

SHA1
05802482ef19e0173516da04d94616ed628e571a

SHA256
e43dcb22af333589208f4c6c875b559ef255309ce5ab6f6cc9e4c5627ea93bcc

SHA512
90316eb75d4ef045fddc8fdfca084083629ee3058188200e2335db90549d68630cfef9a56febdb7737cdfa6292171f34d5acc07003130f40d970ca97c7e06680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f28ede286a3c4b23e4dcbd8ff6fa630

SHA1
81132d74954e9a8c98511ab07b83d7728fb953e1

SHA256
cae613ff634455c31bfad16be04dd7570081d390eb8305fd67db6e31f82cce9f

SHA512
9677f93017d0d9346bcf6b163eb63f2b5875e8fdcb11883f57047ca635374864f738848dbceaaf7afff6fee31259354dede540e01931c7fe51a715238aea70bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
edc8585a5ae832d70bd7b52fe7b51893

SHA1
3529e7e130ab7ab58523a28e14afc644bd093dfe

SHA256
ab6e5c4172af3f414884857f6cd046ebfd85091cbf96ae0e84587db898e6d181

SHA512
1c346305d3df153af3722940773cc592720ab5fe7104d6f55c0519d9cf736f04eb4d3cfadb16e1a8c0137c5032988cb03ed0c1b6acf5040ae9fc88c10d468457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ddbc975063712a93180b90311fe0672

SHA1
e30607081de5dd35feb6c897fad954226e3109e8

SHA256
f80a47f1db60d1ec7daf9371c86bb90b72a9f40e14cdbcb44c5dfb45029cf5eb

SHA512
98c99af8788cb1eb034ba6937dd7bd5caf20ecb20e08e228dee797bb5b5da6e787ca36b55435f89c9000a66f4c99583990f0218481144fadbeda447938407a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b80a1ea675b183a5dfe08e7e7a6a87c1

SHA1
07bfbbe8a01a678a085b99d6a1de84cd25ffba0f

SHA256
2d94c5e019ca475a1f2c96c21315914cd471d9d37df93cfab7462de71d4d9b0e

SHA512
a292991f91489e4543338aafc952083ebb25d9a8a6f893beee5f896a42a085a1947c434fe13a4129c65c27b2aae312d7cac052dfb4153c8a0f4fbad9fc82b964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8be763a684e953a8d49e23b8228398cb

SHA1
379baf2ada2758bcce144505ea50295b13b5f49a

SHA256
9dde268a1d5287643ce47a0485ba467ca8c6eb66a29a01cbbf88a2b6d6736a1c

SHA512
5035b1f603ba503af51ead4dc28bdc60b4d62dc6dae09084ebbf1ee6ccb1956d3592a2a76e57b97b0d22455d2af576cd01060e07111f66cbcaeffc5b9956b619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a04a3e083ec5fd383e85922b887a254

SHA1
9c1124e913970202aeca23b230aabe8afc404abb

SHA256
68a1eb88aedf41508eb02bf82d2021ecf60b229ba495ff7079ccc97d305f303b

SHA512
489bd03ecc8f1f0d6cd5d37cdd518d31030114b3f240dae54c197d36a9cd09584991b7e62bf9add25fc1da7ec9f476b0d66bb1035429e6b4005f25d18cfe0953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b2e27dce87d3497b61539569561cf2f

SHA1
fa371245412fb126e1f84b6ad539636896417f85

SHA256
84e4f35feedaccd1c7d9121ef12183f979c5512fb34e0175bb5cf5abc8a4cf2f

SHA512
6d19d21e9ffadf9da9a11588968425771bb0b94b6874585d5cbe78a5326d57161ebb36137060964dfb60aa3667638431d4be21e1913f4d935630984eeb917ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582640.TMP

Filesize
538B

MD5
45504c2611ce1af4e946773b53f4c0de

SHA1
617bdd2d285bf8d8da4a5f554edc77341a141f15

SHA256
8751dbe2e20f8e3822fb235666da40dbef0628a0af76c958a15344fcec724c5d

SHA512
a4ded663e9c8a609b30b1355bd60e41ddf4bed0aed420cb6c0bd2df0308bace406afc635057a99dbdecc02816a3f33743fa7d47eb375779ab4bab0731e7cc7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3bd8c69f34abeb1e524f9ece0a0a186b

SHA1
429945e8fa32cef9023ca63349d61ec609e10299

SHA256
9517566de24892f7a6a25766ed43ec3a857440673a194993f5323af878504016

SHA512
fbb0d13aef3a39b32a02313566e7c29de759f06cc37b63a1b4ddf707136a53fc96305b8e3d08ac85da4985e5c7ae5fbe06362e58a817ce5d827b8fd4ecae8955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab14cb56b0f7c0f4801ad98a417e62a3

SHA1
cd2dcc99d69a0bcccd25fe1fd07e2d92b7554743

SHA256
9252efbea63eeaf022b667466e150f40fc59f68d6be07f1710c7cd128c40eb29

SHA512
770162c3d64f6d73643840ac5f58051e7b48febb32d32c359bdc758ea07fa439dcabddd245cceadbbfec36ce122ce8cba79ed909441e2b3ba69e842f8c90007d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 320469.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Public\Desktop\☗Ⱖᝁⱐׁَࡒزፓᓑฏ׋इ⍒ᣯ␮ܲ✜ݨ஌⣠ᒘ⛚⤕∜⋜⿢❙⛐߳ᆸᶜ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/3124-534-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3124-536-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/3124-711-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads