Analysis
-
geolocation tags
nanew-jerseynorth-americaunited-statesususa -
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:22
Static task
static1
Behavioral task
behavioral1
Sample
sample
Resource
win10v2004-20250502-en
Errors
General
-
Target
sample
-
Size
7KB
-
MD5
4b320922990cfb723b67147a7a97d345
-
SHA1
5d134dcee4aaeadbea36761640434a45c708b081
-
SHA256
70b68ac1477e49a4342383c6eff1056f6a18ff0727aa20630e9e7bc8701011f1
-
SHA512
b21548566a22c31ca19de100264d1c2cefe0c8d8a0361f325194e6514453813376da301b4bb71c9ac0e4c3c1c84589276af79e7f48dd4e6d8ae553590ac823d3
-
SSDEEP
96:SDQ1jWHRUV/okJOlIDNSW0S9I3gtYEMLX+jZEBZu:oQHokYlIVYFSjZmu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 197 raw.githubusercontent.com 198 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "141" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133929914290378589" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920234085-916416549-2700794571-1000\{FFC27769-7F48-4F63-A90B-BA550809B9EE} chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe Token: SeShutdownPrivilege 184 chrome.exe Token: SeCreatePagefilePrivilege 184 chrome.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe 184 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5676 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 184 wrote to memory of 4856 184 chrome.exe 105 PID 184 wrote to memory of 4856 184 chrome.exe 105 PID 184 wrote to memory of 1992 184 chrome.exe 106 PID 184 wrote to memory of 1992 184 chrome.exe 106 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4048 184 chrome.exe 107 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108 PID 184 wrote to memory of 4488 184 chrome.exe 108
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sample1⤵PID:3840
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1ca6dcf8,0x7fff1ca6dd04,0x7fff1ca6dd102⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1900,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2112 /prefetch:32⤵PID:1992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=1972 /prefetch:22⤵PID:4048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2376 /prefetch:82⤵PID:4488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4268 /prefetch:22⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4600,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:3472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5760,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5752,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3404,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3180,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3176,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3376 /prefetch:82⤵
- Modifies registry class
PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5992,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5932 /prefetch:12⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5852,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5876 /prefetch:82⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5820,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5772 /prefetch:82⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3432 /prefetch:82⤵PID:5200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5776,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4620 /prefetch:82⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4132,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5856 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5660,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4336 /prefetch:12⤵PID:6016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6248,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:5872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3412,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6000,i,6268355402232064795,7004844374667991368,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.zip\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5392
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3939055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5676
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD57a4b05960f3e86aae8f386065bc7a0d6
SHA105cacca5cbb8b19bd92855ad9c7d6fa82c8bf4e3
SHA256619e321f626be2a550097ddee04f97536921a57510c1e0c17531ca092009d175
SHA51296bfc437e3773091b39fbd92d39535da272e5083fa4c8f34b8cecf8b4e3521b5312b7848a8d3377adc1d9daf9790277beceb56db3bf43ed355a2d695f059a6fd
-
Filesize
3KB
MD5536019d65e29fa40c29ea5681499ba44
SHA1a74a104670487eaf3a63f3a7f36a4e36cd0aad09
SHA256417f5dc872a33cc63805ed67f1f9525cbbe5196638e8b6e46627421458b0623d
SHA512770d77c7bdbfc5c499993b35c69baaa8be4aed86c788623d162a6ae8ddd3e78e93248af7b0328bb8734d51d63ba293e5ae272e5b231387e7d6aef802d192b79d
-
Filesize
2KB
MD51aac4dfa17bc1071cce0547679a8a664
SHA173a8076d4551f8f303ade8b6ddc54e95a3073ca6
SHA2566b142ec01fa6f1ca0e5a1e4f9090958f96cd874bbe9d4ff78ddac28f7941234f
SHA5120c08ac64a23fd3e055e5c98c72a69096a9b7b2b77ba33d909f9f9cc2790a17cdbcbf3e5552a19ace144de1d088b07ae61e9d7528d8a190ace9e6c7f517173790
-
Filesize
7KB
MD5e77be477b809ac443093d2dc48c39f5c
SHA1bea4e69a9d4b1b630bdf8ea85500c46e82b6a208
SHA256081969a91090f98f37603344ddc75634996430cbad3b1140a2185b4ffb49e4cd
SHA512952ce53b32625d2c65b8b703a5f095e2365c0a9c4344180e9643d569dfcfb04db7b3f10ccce8d56b45ce61826b3d60a4b3e712ed5254a25db070341f8e1b12d7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
12KB
MD50fd20f80776e086bc638a060988f5d18
SHA168c29841326b363b753f20f8a8fb31cf2aa9abd9
SHA2563ce77c3b39d30758dc8ebacdb30d738497ed183686becee20479f403e558afb8
SHA512076707ca8a5182ee5c28dca16fa5fca4190c76b24c6364a94e197e0a1ac7b3ae8704a9a31fbb2dfa2e1ce819ad2c2f7818f33b18bd7a25b453285134d2b1eec1
-
Filesize
11KB
MD5518aeb5acf9ee36e4070c08f1fa5b64c
SHA123c02606de325da0c99bd1bc993f9d5797ede48b
SHA256cfc01204904691b48750a6aa3bf8c5e9a6f7e9b03f69d8efb827bbbf638da627
SHA512e73bcec4224dd679ba4e18a61bb34c10fda1b28c4a82e3cc4ee7594e7b37f3c641736ff9248b7de471d5f4f8ad24ea393e1f22020ec1d5e8927bd1cd6f2b8835
-
Filesize
12KB
MD5249877dd8ce3e8d83df4f596b82f0d73
SHA13b3f915c787e075bb74e71f52c6da8ec49d1fa56
SHA256d1aae48f561579b885f4d2f745a98df5da4b6ed03c7b1a9af9f577c1f0530cc1
SHA512cbd6c2bd9580f7b9e14d9f544d63b85b04c03d4a62d861d30b8afc417b0d9a283171950f89afefe0f262fd6c689691da6fdba2f4ab9c99610c646c7c89037d01
-
Filesize
11KB
MD597fb40c3a750c5807270af760673d477
SHA1fb4f07a1d02561a1877cc50da439e3e12eb2680d
SHA256d91bf807174b832758b521e867168530548a6c44b4175abd98c5c53a6138e458
SHA5121ae745d68baa568b9363c5c215c6c3006028900d16fbe3e34da123932b1f1b25bb5f9828ad6477b9d7866814867f000e901d4c6209eb79c00264f167e46e7d2a
-
Filesize
12KB
MD5c18028798de2cc9a24556ee91a8870d4
SHA1362db97a8d8c9840599f2f0797edad0077e830b4
SHA256a34ddd3fe94beb033600fb54b2e9cad955c1bfb7f2447af01bae6420b6a4a072
SHA512247e96fa1d2580b6f96a71b568e25e8913dc0255d566cf2bcd27891cd4f7a408eeda66987196a532ae4aeb759b465fbafb38ccf5ec98af56e9c04566f6c99612
-
Filesize
10KB
MD5670bdb6384922a884b9b3af8258f4b50
SHA15fa89efd8c604663830bcc8b828d9ff25f9c4a2f
SHA2565707f99df95b73b40896cbf59e985ad74768a01837604a8793691a54d4f7b6c5
SHA512bacaac30b49dd6e498588a2ed0dc7f30befa9745ac1aeaf0e08cec21ec10761a4b812be39b10a43ebdd52c4f473628ff045d36add95d5ed116eb3e9830693ee5
-
Filesize
11KB
MD505aae2a5fbbfbe33ab2dd85c81dea781
SHA1aa88f282469b680eb99c2c5626304a1fdea54a2c
SHA25603144981dc6ba927b85542bcac623ce576815e5e966bd07dbc96ff478a8dad2d
SHA5123f6550dc44ca98a073fb31d8b1ba093cee3143218473964c4d86a042e7a9dbec0cf6c658e4b0009a5517872375cce612d22eedc8760103f898646acfccff97a5
-
Filesize
12KB
MD530687415a984771fe093033728be33ff
SHA1a1ef6d26bf5aa3acdf6a5c05ad9deda0e899cd11
SHA2568ddcaad806ad1b1a1a52e533bfa953b1566e5a0bc217648ac990fd1675866365
SHA51285b7fce3c5d784f28812e0c166d2965293d3ab4810d29f0a823328706d823bb3ca07a1aff40e7341314cb00c22eaad556a6e01bba4b9f4a218cb4bb5beb82683
-
Filesize
15KB
MD55524603fb6c13cab0238726a23288a6f
SHA1b699809b794d47ebeaa28638d94d3b4744b29d8f
SHA256b757be4023ad43967d2a2de39d383f857db74e7dbc1a4c4ed6c499b560b04449
SHA512ad9c4466d49aeb016bff3508b8ebedfb43c22d0da2d52ea0ae3708c09f96eeb5f42e3b327ae07fce5e7022a37f1290c759fab83b82a4c31cfacdb217424484a6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD50890394c615b79153f99403a4e8a9079
SHA15e0edc9d654bde263f1371a8cba00b2be52278ae
SHA2561ac09d2e263c8274f04ba485cf29440c884a609f135719a90afd0f6b38d2408b
SHA512bee79f9d9bddcd29c4c70869eeee5c2216a5e7d87e6f1150144964ca674d4d0b525e3597ea1465fd4bd52785223de2fd85c24ea75928d8860a6c8c0e5d870001
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cf75.TMP
Filesize48B
MD52c5a6093ea1214f817548b5d28af66f5
SHA1bf0bcb147683a4aa41040cab1c7d82e1b17cf936
SHA256d53a395582b0b41c50199ab8d8e857593b75276175b4f64b4eed8763da602d9d
SHA5129b75debb789f1dfb572c37bf1e674f820085bb67e71269f09f08e085cdfdd6898f3616c052243e5a10ff8b3fd88a09c726fa406a6314d7bbe795bc0a096cfd09
-
Filesize
82B
MD59c12ec41b948e46a5108b7dbfaf1d16c
SHA1860c5126809bae1950aa06800c5c1bcdf05f6c53
SHA25634291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004
SHA512a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c
-
Filesize
146B
MD5e029d452f80494a00944e1601f791139
SHA1c74de1361a7375b1a1c543bf4c75d67797d047ca
SHA2563c407fffe0f2058a39dfca8ebd0b0f6fb0f05aeeba435296e32cef5feb3d4a76
SHA512a1a552469949d7013fb1d99d860816a90862bb0c459ceed70c00a761503a85d01e4937a03123b69fa23eb28d16d0c4b71ae49c6f57f2d175302905f61d0f3714
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57c071.TMP
Filesize146B
MD5007beff707279172a5421e537e4a1265
SHA1fbf7e455403744bc7f3b6b51416a3f05df33c37b
SHA25675e944bcf8ed9c4dc14cf04686e849c2aca984016af3765b65903e06448970a0
SHA5129a8295af40e7fad462b04b300864349975475c9e30ac42266e21428cacaf1c74fa45ef5d5e4355380027213ff3c1059d75bfdc8b829e61dc2ecaebef8dd0b70b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
157KB
MD5beac80e5d446bf6c819af731d9e58eca
SHA155ceff4d1141ddbbdf1036965e71301c0c838c47
SHA2561bf2c6b7d30fc8f013093c8f96c33758da3681c756c12423723d47a9f48bb3ab
SHA512ae5f1db698e475878475d4f64ababc6a0fbe392e30ebf756f9241570f2a4b609102474f3545e15f7d40d5c9eac30821e1e4b54d5317c04e85f4a11cfbf8aaab4
-
Filesize
79KB
MD508858ee0fd2928507de7adf8e93bed0a
SHA133f0a07cb59c715c4534a8388cd34cde1cde87e4
SHA256fe50a360da65098a3b9af2bbb6daaed8dba8ff8556f02af3b10dbd6a4f1f372f
SHA512b39fd30e2f07817085c8c1ce9fc0d057e997f3ebbda8d055a410dd91a7dd2bb45ee3d609fa14dc43fe45b3e6b99c94974ebe0a65ebfbddf2c467eaf4e9234012
-
Filesize
158KB
MD5693fd45ea326adef89d6a03565d55ad3
SHA10a4166816d54b422177d792fca460b79a126f460
SHA256d2dfff13ac6468a61fa72b843acb0486f396b8f9576458e1c353a84f7fe044c9
SHA5127e0cb853acb55bc313efe44b8669608c1f73cba611b32baa6991ecacd6c9b134186e51071eeb3e955a06456b2c81089d5177fcd60905d0bf26d478857b695d02
-
Filesize
616KB
MD5ef4fdf65fc90bfda8d1d2ae6d20aff60
SHA19431227836440c78f12bfb2cb3247d59f4d4640b
SHA25647f6d3a11ffd015413ffb96432ec1f980fba5dd084990dd61a00342c5f6da7f8
SHA5126f560fa6dc34bfe508f03dabbc395d46a7b5ba9d398e03d27dbacce7451a3494fbf48ccb1234d40746ac7fe960a265776cb6474cf513adb8ccef36206a20cbe9
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4