hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n[.]zip

Resubmissions

19-02-2025 03:42

250219-d9pqsswnbp 8

19-02-2025 03:32

250219-d3vy8swmbn 10

Analysis

max time kernel
182s
max time network
184s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-02-2025 03:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip

Score

10^/10

defense_evasion discovery persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com
64	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844095624267729"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "105"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe
Token: SeShutdownPrivilege	3896	chrome.exe
Token: SeCreatePagefilePrivilege	3896	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe
3896	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3656	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2220	3896	chrome.exe	83
PID 3896 wrote to memory of 2220	3896	chrome.exe	83
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 980	3896	chrome.exe	84
PID 3896 wrote to memory of 3876	3896	chrome.exe	85
PID 3896 wrote to memory of 3876	3896	chrome.exe	85
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86
PID 3896 wrote to memory of 2856	3896	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff94b2bcc40,0x7ff94b2bcc4c,0x7ff94b2bcc58
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=500,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,5703744994671067978,11023115122364661260,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:4920

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5076

C:\Users\Admin\Downloads\NoEscape\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a26855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4b6546d8b2f6e0c34d7f9127fff782e1

SHA1
a13cd8b6ba88ae262d6dcadd338d65b1e6a17f99

SHA256
784271accb27bced0bedb1d283e2038c9862d2aa5b1bc516ea59ae4a3f68eefd

SHA512
d931481e8a99b18b9b04989df91a32b55e7dc316fafbc39c1ccf12ab69c30255c3def86620f12f538335b50ba54ab78f35801e9472923892e3e4ed761025391b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fb34a0cae9b0e76dc664828155b156bb

SHA1
81a567de965fc093f91dd018eafbb28149018c36

SHA256
4a69107ba66457892c6c627e09b9f628317e8ec2b1ccc61cd68d662bac3417ed

SHA512
d0af43cfd1b5e8a7fc7ccb64e8d3bc7cb7eeb7e21b961fc46d9878bddd2eaa4da38de691701f1fe912e1b685e9f53c61e984a690ff159644323ff0c697a6ce43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
5180b0d82da5b34498e5dac7cff792b4

SHA1
7934303da3e3e316067a6be0cd93772b19439809

SHA256
e34e5e741f9d34f24e9e00b8a628d72668005b5e6cd4ed11973a52bc7a126784

SHA512
b615b34db1dd514c34586cf74826234567646d933ba6ec621a453f01f592b3c94a5a462d3f300e1bb77d8c8c4cd7043410f873b5b78e95596c26b5a356556014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9c7fae8231dfc314858f152b99ec3620

SHA1
3e77ac1827c77a61e94c4f1fde49e1d35b7a410a

SHA256
9f6336b052593a43869b780fca2ac15ad2a7d31039fb468075818681522f629d

SHA512
1397b80ca2a6021ca382e800dbd1819d875fb1fe68d35d519b27dc76a900522102550f1b1afec082f30cf02ce6b4738c490f43d07f9a7f1dcf95f3702da41568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
58aea89ef81ed965764e600f0881c60f

SHA1
73389536fe2d6269433e272914f41c96914edfcb

SHA256
9402c13df4dde438e69a8b803d80b76560313f1e17e7f3b787c97ca7348c06a8

SHA512
9b8864e194a5b18f0e32a2d9150144669e01de6c4b5cea76644233e3c265ef224a301057fc8fce2651944778cf01ef32202edf3cfbbed2b47b32d2fb49cc710c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a4f156516e52ee9eea7eb98a952892eb

SHA1
2ffa46827f81b5f0be91ec20e99a75967f321597

SHA256
5205f4b789f56f2d1206ce10ae081e3c657a907433799c0100148d77a61abf07

SHA512
8aec1466f401379710b5701ece8b071a2fbf9e9647b5257e9ef4b3aa196457c8193a3d30a53449dc65d13759d1cb75d9c6cb50ff2af605a10e62bbb573c56885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df292d021de017dd294abbb40d370b67

SHA1
448b5c872f824be0b7461f26676b8839ebbed531

SHA256
286bbebaeabe791d102b3abcef167765048053b28f9bebfea936071ad8320939

SHA512
3190ee4b528789602acb7a94e4639b6455ca62d439f7e2e8e383a733e738e6ea3123a570c26bcbc4d9552ebddb94c298db43ea6b9a5618a0328f17f7ba65f7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5ec895db323541a93fd9c565dd60be4c

SHA1
8cf17ef162344bf10b7c68e65ae7f7a4fbe05c43

SHA256
58fe7f7acd591954e92ddef7e45b0f9192f4a0462b4a0284baa990469be90d88

SHA512
9fc6d8898cc2f2817bfd690a5ec074b236b7f0bd241ab285232d6713c786bb0b196165415c2798be544252ad1b7bd1c42f783dc2df8befd28aa2c6b94b5e9226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57180c3e22acc5d915155a6a5729a5ef

SHA1
6b9f29daad6579ab9f7600b5ba7b41c10ced890e

SHA256
07f5dbc3b57a538f847a963b2ae630dbd32e68fa4ddc60503a2a746cdbc73d9d

SHA512
0ec8570fc36426b2fc7f1ed0155d1abb869f99ba79e2031d54ec3cee00e1ee10e68de1b05f8a71f3295896b62dd7c6e9ea9ff93c247b360070fb09bbedd9ce9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5387c61f70b2143afb8489e15ab4887e

SHA1
4c21c29a06d2c5b15a277c551640f72090c8a01d

SHA256
6d45d5fec78932d28770d5a41ace5b3946af29694475210222f0917c958c708a

SHA512
4af2dc737dc7b5f8b2037e2622abf6ba6caa907b3e06a8b894f6b6021b7a8a525682ded8b0fac29a19c2d92c9c731762accf96b1b4b5c39bcd25b884c090aa2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9abec30dfac3572bf4228f34c1c8658e

SHA1
4f792b4a1abf93acf5e28d3be835a2f275f71ab7

SHA256
736e78a896c41518f8d24ccaac04e90e23cf2943cb24ccf656e41513324450e1

SHA512
2712718f127a1b4e75e4243ff1155ab36ee5c7a263547ae7e5d76c94782465c79d78c649d3983f58084f3882b9d204bb7e030db5ba95e291bffbceec13068fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1044cc426bf6134689d3d0ac055ea3f

SHA1
bef9a988845dca479c7e9bba2d5ac0eb852934b6

SHA256
7c8c5c07a24e80ffd0a672811bae582e52fcda17ed9ff4d7ca8e787da893f8b3

SHA512
20f27223f64c68e50d979a5078b74e09576d820048cd79081b0228deec799cd290df30f05f12a9fa6841c2914eb9d95a76f7a78760e172209307b44650d77157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c17c321f038882c5ec0df8c67de38814

SHA1
d2bdfbad1cce4523011168fc221ef911261d0604

SHA256
2eba7d532ab0e3b8e9c0170b9e460af312175b82b0a001bde8210dd759584b21

SHA512
81e2afa163d9055796b2480e346e6abc3614e9ded62eda19a69eb3a71bcadc74acbb60ef691d235a45d11a3fcbc9b49e779fc34599a9bd9fb2d294100ff7db92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0fe03eb50f32e5e34c410f7edd54395

SHA1
0c81e709d157549ace0c5b488ed9ba16a4f37e78

SHA256
4ed9f2b49adae7d07279f301d1f7dea03e36ef46235350b5d1082352f0c3fb84

SHA512
4bbadb9b87afdddfa5bb37315b56561811e970a83af095e62a768a7bb79a1cea44b49d5641fc940b6acab67a86f8a61f9d9bdf031760fd1d5be182471c72727a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
ee219edc5fc6e800e3ff963f7cf3bc26

SHA1
2eee662a43c61e76673e9630d6dc913889e061e3

SHA256
dbf612275b9df2d0c5ba72d7b8a1ecd86cc118a094a03657db63b771407ea6aa

SHA512
de9dd6bfd742c76eba9e2daa272b45a5c186bfc19c45d8da3ef898c9212fcd0a02c5f0425be0c7b33b58d3ff13fe887999a35a172e7b159359825b60dcb77592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
9e92feda68372a62afd02dbe1d713ffd

SHA1
6be1d8589cc317cced54fd04033a4f8d3917c9c2

SHA256
c980685deb32ae848f46c5315107d7b024a6f49503680f6b225dc7611514fa48

SHA512
647e68f3c6f432c24239c78407764e88783ccd409451575de52cddcda2e9ea9b3c559c27e979061a5893843e821287f92eef862b25f8629d9bbde69adff0dbab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
6f80a6b6288fde606950b7bf3b0c4a31

SHA1
d5bcf9d5ce457dcd6d872e4315b76f79059b6524

SHA256
37c796f5ff2f44192efd08102119c70119d3af0e2d5fa949271105f69ecd7bbd

SHA512
2d5732e0b5bfcbcc78b18415bb85c25416fd98910bf7655bc74cee1c03250e47d6004ec7f4c036b50fca2ad2f9c377b5140e6b20b7d061eb87296fa3e49d1169

Download Submit
C:\Users\Admin\Downloads\NoEscape.zip.crdownload

Filesize
616KB

MD5
ef4fdf65fc90bfda8d1d2ae6d20aff60

SHA1
9431227836440c78f12bfb2cb3247d59f4d4640b

SHA256
47f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8

SHA512
6f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9

Download Submit
C:\Users\Public\Desktop\Ⅿ៪ᮃ༝ᦲᚬᵟⳮḮḲᆕࢆὼᕤୢ⭅ᕦ؇⹽⥭Չⓒ⟚Ίᒙঠ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/2380-298-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2380-299-0x00000000005C6000-0x00000000005C7000-memory.dmp

Filesize
4KB

Download
memory/2380-482-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads