Resubmissions
01/06/2025, 12:54
250601-p46ynscp9v 1001/06/2025, 12:25
250601-pl3tascm7x 801/06/2025, 12:24
250601-pk9kfscm5s 1001/06/2025, 12:06
250601-n93b1agm8t 10Analysis
-
geolocation tags
nanew-jerseynorth-americaunited-statesususa -
max time kernel
40s -
max time network
44s -
platform
windows11-21h2_x64 -
resource
win11-20250502-de -
resource tags
arch:x64arch:x86image:win11-20250502-delocale:de-deos:windows11-21h2-x64systemwindows -
submitted
01/06/2025, 12:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win11-20250502-de
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoEscape.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "215" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133932543018007891" msedge.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-434880884-4028056734-3558218839-1000\{B05CD2C8-2074-460A-BB96-ADF3A1A57D32} msedge.exe Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier msedge.exe File created C:\Windows\winnt32.exe\:Zone.Identifier:$DATA NoEscape.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4044 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 6072 2076 msedge.exe 77 PID 2076 wrote to memory of 6072 2076 msedge.exe 77 PID 2076 wrote to memory of 5412 2076 msedge.exe 78 PID 2076 wrote to memory of 5412 2076 msedge.exe 78 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 4728 2076 msedge.exe 80 PID 2076 wrote to memory of 5904 2076 msedge.exe 79 PID 2076 wrote to memory of 5904 2076 msedge.exe 79 PID 2076 wrote to memory of 5904 2076 msedge.exe 79 PID 2076 wrote to memory of 5904 2076 msedge.exe 79 PID 2076 wrote to memory of 5904 2076 msedge.exe 79
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x220,0x7ffafceef208,0x7ffafceef214,0x7ffafceef2202⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1716,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:112⤵PID:5412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2552,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:22⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=de --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2132,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:132⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=de --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4888,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:142⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5028,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=de --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:142⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5512,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5272,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5136,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5168,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4752,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:142⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=de --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6148,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:142⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=de --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6716,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=6752 /prefetch:142⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6744,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7764,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=7776 /prefetch:142⤵PID:3216
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11363⤵PID:4240
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7816,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:142⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7816,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:142⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=de --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=7916 /prefetch:142⤵
- NTFS ADS
PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5728,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7324,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7884,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=8120 /prefetch:142⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8112,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=8164 /prefetch:142⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=de --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8148,i,1110501108739830999,4283313579031530850,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:142⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:2340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:2272
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1696
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:432
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a27855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4044
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5b4af5a745b28539744b58a86bd8131eb
SHA11891d8e9b97bab9c8199913b832036224f7abb08
SHA2566cb3dc503cbaec5c7a88e0e53fd658eed40f6867316772ac53a68320f4487c84
SHA51249d4627155f0878aa9760cbdd5e271c2477a665cdc368c57e121c1ce0c0331e61f0353b9034c6201404caefa7d6dcd44760ca609ca7f40eb2946f7f12cf848b7
-
Filesize
34KB
MD56997fcb39fe7781b738ca7f61524ff18
SHA1438e41ff8c55a92b59e1191ccee44a2eccaf811d
SHA256619a26750446f311c5c46d9cc74353bedf634e6446bd4b3b9f9d65fb87286c21
SHA512204bd2eaf82516ee5940e5c97c8e54744a14c7d102d00a20ddb55fbbe42bb59e628d9838e41007ba88f6d621829edfeea7d04b7aabf7e1caa6b712e8e48e5f81
-
Filesize
100KB
MD5db59c0de5aed8cbd1e58fe46fbc484a6
SHA1e566b780f7f260f2023074dc00f4f2dc90425d0d
SHA256ceb95d02805feecb2beac1818602542bf04251819bbb5ee6b48f16d2a96045de
SHA512f993b6199ce5794eec155b543b75d70e839c7a8419ebe11df9b68c4125fe9068df4dd01c0a67ef8856a8b3ba13276a8f0a4914db8195aedaa9d0326fb91eb4f8
-
Filesize
59KB
MD5657bd9b29babb07a279765be3f5e3296
SHA14ce9ef80f57831bf3f9a776e4b86d8717388709e
SHA256d9bcd368dc139e513e35c2bd32c1a60e8e650d4c5a4dfc379359a9d9357fa276
SHA512fed84c228050fa65b7bad0e109579ff98676c275fcf2cea433c6e21274b7da7b78791cad067451a3ad6ad5d50d89117b86028f84957443f7f5d4013714b30df8
-
Filesize
365KB
MD5bd929e1b131c20289bc152ed817eebe1
SHA12fb3b3cff0ce9b7eb0a9bbb398040647aac7c764
SHA25667013116698cf73be78acff4a37970855cb3980b57f43fda436bd3748eaf81a8
SHA512508e4bfcdba4de17c44579d459b92ef29d25b66b593e016723c98739e6b9b011e0674bffbecd7cf6427174fb1bade2eeb0c7b6d65cf4f11e9201d39de41585c9
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
108KB
MD59b50024d7c56fe11207f0250415cae79
SHA1c5cf3943a25860cc707cf925f68c528edaf05188
SHA2569a11a3da005b3895a4048cec20786debada2339e361389872b3578846b9fd808
SHA5127ed45e2b2b2e92c60c09ffa013b89d2ad57d4281232ecea09edbe2cd4729b3a350ef6be1a62edb2fd7089c04b070f42527a723a9bbc35cde57c5c5c59479e890
-
Filesize
1KB
MD5d31968dab293836b3c0ff6e242641612
SHA158ff559515387fd94f145726cd1c18af54293187
SHA2566ee10fbd43567643c4006fbbf1004ea2230b363df82857db4d13a5fd86819a83
SHA5125872242472b5241a2e2c3edf8ce60ad3ccf09e1ce5a362f198f1d0cf148b6460a2dc62d4b1c07aeda94bc01e2f4e841485ae614a35ccb08f292e77878d9fff46
-
Filesize
1KB
MD5fdab952a524201a26f266fdf45779968
SHA18f51d697f678c1570523aafcafb8903b750f2153
SHA256b22c6c6baa0ee34f35e70a79b4d5ec34fc848a0406f0cf215074e44f53e8de05
SHA512beea6a21e068d79fcc6b48abede2e7c1d81cefde35ea1a1c8070db32a37de06513fdc4e70b5a0d9c0d997a9ab1b65cccdffc47fce33c23185ef8fff669d802cc
-
Filesize
6KB
MD54b9b9d99f5c67d45bc438b0d27eb1a6c
SHA142758ddeede98b376be1131f176b8986063ab5ed
SHA256962ac8f75c98a92401a6390946f2acafd777ef7dcae1ac89d9d2c20354e4aeda
SHA51209db29d7af6cd710ca8f467118c9ffdad5407191a8a4825a520470c6850e5b64f45631f00e31b82b15ceb92ac60686af2f8e953497467ed34b5728cf2bd7f11f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
211B
MD5ad8794f7fd5b362defd0703701deccd7
SHA10a72879a46651d2e75e5af1a4322bc939226b87e
SHA25601f9764649fb539730f9b1d39f11854da97c4b6e28bd305002e18ee106f2a171
SHA512509012427caa2c10ecaaf97f0e9a0b3b8588396b5d81769261f496399e5c2fdd402a4065969317f414a345911649b5f663d51b99e9f42da83ebac6d24f8aa2a1
-
Filesize
414KB
MD5a2afc6a7cff39f593c62c4ed23cb98f2
SHA18fba056f4a7604cc287982d043ffd0f2a2e44742
SHA256ed88faa9755fbea9916bd39f0030bca0820b235e6db235992dec8f33abd5f58f
SHA5123fb5fd072119f49bd0f11d621a3eb3bb71ee86a240f6d76f2b7d5041bac616965064e964f07439c931983ef20c81e65e9d52837a21f4735fbbbfd575ed538934
-
Filesize
37KB
MD5535b2b7b029dbf6a5d94e8e497e92518
SHA1daff0d0fbb06e79ef43957ab87135aa0c353e4dc
SHA2562cd54acc9dcb59cb3fcf7b9afb3c431056ff11fadad76245114b18c1a502bccc
SHA5129c22518f3ea83a7108990fbc8cba6872de7a5d53c818024a64a0f44650df128a2b5de1945603c45d22dcde153b28a7b64966183a7e44993dce7fd480192a2804
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\38f0e3b1-e4c1-4929-8f66-ca1b9e3d5a43\index-dir\the-real-index
Filesize1KB
MD551102c0fed6d2a871388a4137d9adbd5
SHA1762d4488f4b971aaf54da6e859e404b1cb92a927
SHA256452aa61954a89f3192b9b0c87bb16f1f97eced1b369558b434f9a8914d4ad647
SHA512bf234afb70941cdfe2de18574f034e8703a58ce49fe688abf69082b083d177cf846545b3ba0ea103550cfa9fe3bf7bedd08b254982d7899fbe7a89e18a8b7940
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\38f0e3b1-e4c1-4929-8f66-ca1b9e3d5a43\index-dir\the-real-index~RFe57d040.TMP
Filesize1KB
MD55b4a251f010c697c755c458fd8e80de9
SHA1eefdf1f2e12b22aaf19a1a37fbf61ccf67da81f1
SHA256e594f2a0d3e565ecdb88b2eedcafaa8fbc06c7372e94b124d80a15c7f984ab7d
SHA5124391279ee51d6f5b768a8847278927343f1fbf1de8a96f534ac47a9a1ca01b754070d3e3d06dbb44bc7926bcfa0768cebff11c4b9e008107c160daf774097f0e
-
Filesize
24KB
MD58d8f222c9643b027ddee10d609eac7e8
SHA115a1e171cae7cb97f9469dc5304b2d974a3639dc
SHA2565f40b093cfcbf17c6d581477f465bbcb005125ea8297bed55ed452681824f93c
SHA5125d2da7a9fe698b5076dd6c545e237a4204594f258a57200aba4a502f39aab1719b4252b46c783bab2603dcc6f71053ef0955d0a000f44928e14f260769897338
-
Filesize
41KB
MD5ea453e8ec7df648b250b9884f5c6abaf
SHA199fd0eda636e1f546ae6f6e1ccaa375f2ab0345a
SHA256dc314aef5ca4202eb6ec193f7a9bed2a22fc39a9a5b16d7044078894c7a98ae5
SHA5120796c1adfd79c4a89ba349e13cb6dc873ed2d9957ad3120c030286a4afcdece20c595bf668999c37b41e1fbd877d23a78eb348e201044b41cc5b9e3879548633
-
Filesize
49KB
MD5a393777afb66cd4710134d1472543aa4
SHA1659e6183feb09b6f04dacc10e4210b5f3a3a7ff8
SHA256ce0c053fe2ecb583a90632273d00e15be477c2f933aafe19efe478edaeb4126f
SHA512fc3558ced2dd2fa02693d55678638fec4b2e9f859a435d7ef7f23313a7472823644491a5a9e47a9ad2cdc4813916225256827bb21f6c56eb8354bc5e44c6a081
-
Filesize
41KB
MD519f0820989c9c1cab676e5e174a779ba
SHA1ae9adfb6943272ff21d847192ec894de79a13ecc
SHA256afe7562ab21387573a1e151fcd83ecda27e6b53d7f92ca53d710442377248f2a
SHA5122f9dd57c3b38f59f8188620f4da3afe6965aa742b3e1d9ad6a2d314be1d6ce2bf3574efca2326407897ccae361f33444a709eb585551951ccd2e635684c6739b
-
Filesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4