Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
23-11-2024 15:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.pinterest.com/ouchtak/gaming-setup/
Resource
win10ltsc2021-20241023-en
General
-
Target
https://www.pinterest.com/ouchtak/gaming-setup/
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/files/0x0028000000045352-841.dat family_chaos behavioral1/memory/6012-844-0x0000000000C00000-0x0000000000C20000-memory.dmp family_chaos behavioral1/memory/5332-931-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral1/memory/5332-937-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
Chaos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5572 bcdedit.exe 3752 bcdedit.exe -
pid Process 2088 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation Cov29Cry.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4048 mbr.exe 6012 Cov29Cry.exe 3152 svchost.exe 3312 Cov29LockScreen.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 31 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 133 raw.githubusercontent.com 134 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\x6sgq7udk.jpg" svchost.exe -
resource yara_rule behavioral1/memory/5332-813-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5332-931-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5332-937-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\08c8c91e-0681-4a14-810b-fb24bc371d6d.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241123153031.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanRansomCovid29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cov29LockScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5644 PING.EXE 6056 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5840 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5848 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings svchost.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 1092 reg.exe 5924 reg.exe 2088 reg.exe 1260 reg.exe 2952 reg.exe 2524 reg.exe 5848 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5644 PING.EXE 6056 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3152 svchost.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 4744 msedge.exe 4744 msedge.exe 1520 msedge.exe 1520 msedge.exe 3284 identity_helper.exe 3284 identity_helper.exe 5916 msedge.exe 5916 msedge.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 6012 Cov29Cry.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3672 WMIC.exe 3672 WMIC.exe 3672 WMIC.exe 3672 WMIC.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 4596 shutdown.exe Token: SeRemoteShutdownPrivilege 4596 shutdown.exe Token: SeDebugPrivilege 6012 Cov29Cry.exe Token: SeDebugPrivilege 3152 svchost.exe Token: SeBackupPrivilege 5836 vssvc.exe Token: SeRestorePrivilege 5836 vssvc.exe Token: SeAuditPrivilege 5836 vssvc.exe Token: SeIncreaseQuotaPrivilege 3672 WMIC.exe Token: SeSecurityPrivilege 3672 WMIC.exe Token: SeTakeOwnershipPrivilege 3672 WMIC.exe Token: SeLoadDriverPrivilege 3672 WMIC.exe Token: SeSystemProfilePrivilege 3672 WMIC.exe Token: SeSystemtimePrivilege 3672 WMIC.exe Token: SeProfSingleProcessPrivilege 3672 WMIC.exe Token: SeIncBasePriorityPrivilege 3672 WMIC.exe Token: SeCreatePagefilePrivilege 3672 WMIC.exe Token: SeBackupPrivilege 3672 WMIC.exe Token: SeRestorePrivilege 3672 WMIC.exe Token: SeShutdownPrivilege 3672 WMIC.exe Token: SeDebugPrivilege 3672 WMIC.exe Token: SeSystemEnvironmentPrivilege 3672 WMIC.exe Token: SeRemoteShutdownPrivilege 3672 WMIC.exe Token: SeUndockPrivilege 3672 WMIC.exe Token: SeManageVolumePrivilege 3672 WMIC.exe Token: 33 3672 WMIC.exe Token: 34 3672 WMIC.exe Token: 35 3672 WMIC.exe Token: 36 3672 WMIC.exe Token: SeIncreaseQuotaPrivilege 3672 WMIC.exe Token: SeSecurityPrivilege 3672 WMIC.exe Token: SeTakeOwnershipPrivilege 3672 WMIC.exe Token: SeLoadDriverPrivilege 3672 WMIC.exe Token: SeSystemProfilePrivilege 3672 WMIC.exe Token: SeSystemtimePrivilege 3672 WMIC.exe Token: SeProfSingleProcessPrivilege 3672 WMIC.exe Token: SeIncBasePriorityPrivilege 3672 WMIC.exe Token: SeCreatePagefilePrivilege 3672 WMIC.exe Token: SeBackupPrivilege 3672 WMIC.exe Token: SeRestorePrivilege 3672 WMIC.exe Token: SeShutdownPrivilege 3672 WMIC.exe Token: SeDebugPrivilege 3672 WMIC.exe Token: SeSystemEnvironmentPrivilege 3672 WMIC.exe Token: SeRemoteShutdownPrivilege 3672 WMIC.exe Token: SeUndockPrivilege 3672 WMIC.exe Token: SeManageVolumePrivilege 3672 WMIC.exe Token: 33 3672 WMIC.exe Token: 34 3672 WMIC.exe Token: 35 3672 WMIC.exe Token: 36 3672 WMIC.exe Token: SeBackupPrivilege 5888 wbengine.exe Token: SeRestorePrivilege 5888 wbengine.exe Token: SeSecurityPrivilege 5888 wbengine.exe Token: SeDebugPrivilege 5848 taskkill.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 252 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3312 Cov29LockScreen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2332 1520 msedge.exe 83 PID 1520 wrote to memory of 2332 1520 msedge.exe 83 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4980 1520 msedge.exe 84 PID 1520 wrote to memory of 4744 1520 msedge.exe 85 PID 1520 wrote to memory of 4744 1520 msedge.exe 85 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 PID 1520 wrote to memory of 4120 1520 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.pinterest.com/ouchtak/gaming-setup/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa300946f8,0x7ffa30094708,0x7ffa300947182⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵PID:568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3020 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff777fc5460,0x7ff777fc5470,0x7ff777fc54803⤵PID:3760
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:12⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5808
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4548
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\23079c6d-feba-4667-bce2-0892357e0ea7_Covid29 Ransomware.zip.ea7\TrojanRansomCovid29.exe"C:\Users\Admin\AppData\Local\Temp\23079c6d-feba-4667-bce2-0892357e0ea7_Covid29 Ransomware.zip.ea7\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C04D.tmp\TrojanRansomCovid29.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C04D.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:5616
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5644
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1260
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2524
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5848
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1092
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5924
-
-
C:\Users\Admin\AppData\Local\Temp\C04D.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4048
-
-
C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6012 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:5228
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:5840
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:5528
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:5572
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:5668
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:2088
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵
- Suspicious use of FindShellTrayWindow
PID:252
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5848
-
-
C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5836
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4048
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2748
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56dda6e078b56bc17505e368f3e845302
SHA145fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA5129e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502
-
Filesize
152B
MD5f6126b3cef466f7479c4f176528a9348
SHA187855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6cea5cc4-9f1c-4ade-9765-5e5987e29d27.tmp
Filesize70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
67KB
MD5b275fa8d2d2d768231289d114f48e35f
SHA1bb96003ff86bd9dedbd2976b1916d87ac6402073
SHA2561b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1
SHA512d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811
-
Filesize
366KB
MD5e6940bda64389c1fa2ae8e1727abe131
SHA11568647e5acd7835321d847024df3ffdf629e547
SHA256eef5dd06cf622fb43ea42872bc616d956de98a3335861af84d35dbaf2ab32699
SHA51291c07e84e5188336464ae9939bfc974d26b0c55d19542527bdcd3e9cac56d8c07655dc921acaa487ed993977a22a0f128dc3c6111273273ff1f637b20bb56fb6
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5acb230c6df83c412676f5ddcd338e5f3
SHA14f7505b62af1fb79861be66976dd21ca0246346d
SHA25611338c344e2123034995f6dd5c1fb2f9f39d42b4e91754cf7af4876b1b9d9271
SHA51272241573516bbb5523af8823ccab377c08e719819a77f4dd99387a9662c3a9bdbee12d88efaa7ea1d6a74ae17c147d394aa3c54a1cfcabf7fc57488e63c442cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5794a5f5d474334d7ab52abad0586cda1
SHA171415c46a98fea6f09e6d97aaff0c8c196451b89
SHA25620e17f7b4741613b7b909ba40372a23579b04484ddb68be1933a7c7660a10cd7
SHA5120e4462e8b7c88f91ecc61e89a26b079e52e735600521d72128761ff079ee43c44492751d2fb2556c3dabbad9047228c220d42011523fc01a3566935976542edb
-
Filesize
1KB
MD50db0818b8201303e3498c773310cf35d
SHA19e20ac97a0173935460bdb02b80b8ed07f310272
SHA256e5b8df3d436c3acf927bc7617b83a8d47ab520b69193242cbae308f6691e54a0
SHA5125dbf475bb6b2282f5d10aec63a605ff2ab4faf92e428a4e2f32247b6f7fc90cc640c9dcd46749883e27be75aa9f7120a291960427a9d3c7712d18bf00ae055e9
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe584e88.TMP
Filesize59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
5KB
MD51f4b997bd28b67344d3fd8325c67a61c
SHA1c93dcf10387989286b68d0b5898abc8f6b7f5aae
SHA2566efde25474ba5f1cc6ca64bc969e4ae849a09ad55c7c3d6ed5fb5e71de64ec1c
SHA5123985d263669ba737948dbae3d8cfeb72af88606abc0258ab6bc919240feda27d00f1e9a8481be5709c22aa9a9f3075d1b610c3c5945271466957affb12ef02b9
-
Filesize
6KB
MD54390b5e67c3eb42ac389a3324111b818
SHA106be57f911dc6f84bf45dbf0840937365a120811
SHA2561ac354667e319181365f3bab3fc27cbd1a21ea730188f0c6484517b5833592d8
SHA512734e65911b45add1dc02e740bf9ec1dd51bc7789bb5c67d38667fb520bdcd34756c3b863e160d5fb162fcc7653f7330ae6afac9a08917dba4a4d06ad876c4c7b
-
Filesize
6KB
MD5bb90f40655d57864f1dc49f993c651fe
SHA1f4be0f616538582a084163e88557cc88163ff293
SHA2566fb114fe4b6d936b2761cc8249fdcddeea00ee16e2cd2752ebf22473b9f9c899
SHA5124561388fda69f0c4d355c6f9af00b46f6c94a16faa0a7e65d27e3748c134f3def03bfafee98519108f4d34567705c308db5fb99963813dbf54a55bd859ace9bb
-
Filesize
6KB
MD5bebfc67aa7e236d22d0b96463bdd0955
SHA1bc25df7c2ada4b1e8a0152f8f3854064404ba2c2
SHA2568e02e17dbebfea624fb1c682bea5926bb985f9271bd12b3d82f9e216ecf5ebe7
SHA51236c12323a3534edb5e376c954a4930cf4b8b1754b06401b7e68056560f10a44a4918303e6bd0efb3c80ba9269fadc84a7abef5c099cf11bb62a70218c3b1ba63
-
Filesize
6KB
MD50bf5b3dc44f39248e9bed229ff4a418b
SHA1e19d55ac665f094c9b2c7e7c0ef0f9097b67ddf5
SHA256adbab17c6db43d8e10b8831fef206be7b990fa75b3bc423d032e3e51438c1215
SHA512579996ae32509015e25298c1c6237db412bd6b6814f621d3a81e28985c68b1e0c8c5ae08fb338e12f9f0c2fe899fee72f1c6df172caaedc7bcbbcc1c357843fa
-
Filesize
6KB
MD53f7897543349c78e6052187d4c11777b
SHA1ffd7b6eb129a638f3bf992c69551b042c545c9db
SHA256b31929d2b3ae8a723547eef2bfed3d7ac6340ff87a4c0ad5694b98f920dd8fde
SHA512210ebc8acd79f48b6f4a7828a774b98f88e4fe48af8374956962c15fe393d710e0974ab3ced4f8f8501bd391c45446a996a16608b8d895c9152544d3b83e2035
-
Filesize
24KB
MD590cc75707c7f427e9bbc8e0553500b46
SHA19034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA5127ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511
-
Filesize
24KB
MD50d8c8c98295f59eade1d8c5b0527a5c2
SHA1038269c6a2c432c6ecb5b236d08804502e29cde0
SHA2569148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6
-
Filesize
1KB
MD58bda48dc651320d800e229c437114839
SHA1985f7778b72df2049090dce65751067129d0e77c
SHA256b1d5872cc821873933ca4178a317aef98a54592180aea4dd3fe191974fa88abf
SHA512ae57ecda2bc127c18ae4941851e5f48368bbe1539b4a8aedc5773cf00afe4f900844760055a9aec54452974e1489a337b2f803676c0b937ede2c5c4ed4c3228c
-
Filesize
1KB
MD552fd16f961d14bb1f981c6ac34c65a49
SHA191c7f63947ac4c9c6ee3dd4837f2721b4bc2c13b
SHA2565ba250a56eb70b9a7562a0211fb29ce4766d84bd5d923cb0c951c4746bafd895
SHA512d2f1ef2bae2eaee63113c1eabcfaecdedaa58cf77b9bdab61f42dc48be0decbd9305903ae397afde1574dbbe3375079d5c99924faa2fa5f7694d58c19a1832da
-
Filesize
1KB
MD5a74b08f24e8a571bd79d10a87d1b29f3
SHA1a68d6faf72dbb9bd2b19790acd8aa9e39e6411a1
SHA256f21916c2ef29f479c79ad16667df9c31499cd74952d993647d88b1b4e42093c4
SHA51258d2e158d9239c074669f65293877f7d611856d3c300519eabf4bffcbe4c891b7e6bd17437930cd919fafb958878202d73656d0fe787b2ebea29b35e6152525a
-
Filesize
1KB
MD59c9c401f4b51b3e6842842e824ab00e6
SHA198a07925ac31fcaf83d4c0d5a76a73133a5ffaa3
SHA25686370131df29a6b73c8153ea30554d670e9342604e07128512a78625663909d5
SHA512ff9d695e6cf05268d1902af073bcf644403216139da9c8f67dda2c6aa15878aa959a87fd6e9e97de9c540a800d84f19ab3e50a398adb062c7d9d7780d8ad96c0
-
Filesize
1KB
MD5a7f67f11281ceca60163ecc4c8c00502
SHA1bfe9fa682e0d0d5f6607014841cd5cf4f55558f6
SHA256ae4e4e0d95cff9ca64d60738afb20d9f3cf268f2e4e11b656e0ba65697ae97fb
SHA51288c964daa9895aeb84c8ba7d02ec7a88118bc7534fe619ca506e2b3717abf12d84aeee5a91f246fd8d7150e8ee968c6dbbea167964ccc567754ad7ee2327ea91
-
Filesize
370B
MD5d6849ff15652f244563a85aa7d2812f6
SHA1220cbcb343cca58d5ced959d86f04fd40dba7ad0
SHA256e0b408a73c08cd37dc3233d2ba4eca1a5f27fb51f09c6b77e9a767e211cc6638
SHA512bad4b408b49a6f7efc0da4b59d3f5e7130fcb09cb9e1f8ed603578b1f6811342def98763de061fb79d69aa9417e3192c152cf3bbfcf18cbfc1d702b4b789d4c6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD544e4a763f98c94945aee146ff17e6741
SHA156f9cf8ba5211385bc2ec5e65b5900a7efecdea3
SHA2565fc9265caf60ebcba6c997368e2b5412f5c9dc5f56c6b345392fbb686d60447d
SHA5127552050ad7560e2221b72c3e4c95ce5cbb5780617c5e9a8b9adc02be9d7b27fdd361332257b471869a6385972c615cf9a1b2a7021581883c9b5f20b42c22e214
-
Filesize
11KB
MD5386a6f68a7805a447d77d2d9f4d20fa8
SHA14141780e7dbde532c80777aa3af4aaae575d6d6c
SHA2562804e5b859391aa5e924adf9da61c7820a29219c3bea2b99c01c791d62f09905
SHA5126743cbd8ca375a93df84de391e706ffed6bae4a716bd2c8c336c4d5f949cc6b7a861d9407a7b3382a9cf6877944065f19fc3df7be55f443c75b7c4c269360430
-
Filesize
10KB
MD5ea192f3c9b7af44e25e1953296c5db98
SHA1b3102291fc929e50be76a50ff8c08f217083725a
SHA25641d1181dadb09952066988a40f69bdc77ade14d4e0a0fec09b47fa832306984a
SHA512ddeee87ea4342878c19498c22f128c70ea297630d686b70af525d2f6a1b7949738e88994f16c8d26f2dfce70e65d7fef6f3c6a99c72a29ef0533389522b55e0c
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
2KB
MD5f150906bd0fe42873c771cfca6736424
SHA15b23516be65dc50014fa9d040b3a3c3175c4ece4
SHA256b67f40ae6e1b3fe3b0aabd43e32ea7e993a4f21ae56757a9155ae467e805b1a7
SHA5121694ed78bd2f6e3c8ad647d78efb42293b2a62f8ca9479e8e66ffdad32dde676a9647f035bb52f2993ddfc702851d19cc558cabe83debb46a16d5b976a2bd9f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5c66d40bf0610bf8bdeb6cdeff5b17b21
SHA13e281c5233e99a41c694f7f48a5721801617ec4d
SHA2566fc457cd33a5bb6967413e84d3b418e4f0028adb629d80d45c2607c6b25194e5
SHA512ae67448a037414e9b4dc3c2b0fe82c30f190a3f70e1ddc646fc6fa239c09ee3d1172e08389cfa05e4c93db43ae3dbe2a798640c185a3822d45a52b3246c96f90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD50095ac4ff4c9418d8601f7347710f44d
SHA10e3879fa6c091febddcce6bf47424fb06b792316
SHA25622308d089150452fff4302a6972679543642300a174ca7be45c525e7d1eeb516
SHA5125fb47f65c6315564d73256ad10c6d3a6ca12f76c3859001bfe406e2b3b4ee0d70d6e0805e26eb0be02360dc48fb9a6d0bc7029f2a20b07a5e69a23da4bd7d12b
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c