chaos | hxxp://github[.]com

Resubmissions

02-03-2024 09:35

240302-lkh6qacd87 6

02-03-2024 06:32

240302-ha51ysbc4x 10

Analysis

max time kernel
337s
max time network
338s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02-03-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

chaos bootkit evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x000400000002a878-702.dat	family_chaos
behavioral1/memory/3060-711-0x00000000006C0000-0x00000000006E0000-memory.dmp	family_chaos
behavioral1/memory/1572-786-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1684	bcdedit.exe
2664	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2980	wbadmin.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
328	MainWindow.exe
3944	Antivirus 2021.exe
1020	mbr.exe
3060	Cov29Cry.exe
752	svchost.exe
2288	Cov29LockScreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1572-678-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/1572-786-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
25	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\87kvangpx.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3040	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1240	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538348001470662"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	Antivirus 2021.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
4524	reg.exe
2964	reg.exe
4900	reg.exe
4972	reg.exe
4060	reg.exe
2144	reg.exe
3656	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AV Secutity 2022.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Antivirus 2021.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5096	PING.EXE
2580	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
752	svchost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
2512	chrome.exe
2512	chrome.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
3060	Cov29Cry.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
328	MainWindow.exe
3836	PickerHost.exe
2288	Cov29LockScreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2852	1804	chrome.exe	80
PID 1804 wrote to memory of 2852	1804	chrome.exe	80
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4692	1804	chrome.exe	83
PID 1804 wrote to memory of 4412	1804	chrome.exe	84
PID 1804 wrote to memory of 4412	1804	chrome.exe	84
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85
PID 1804 wrote to memory of 432	1804	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://github.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc1389758,0x7ffdc1389768,0x7ffdc1389778
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=336 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:2
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=216 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4832 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3304 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  PID:3044
- C:\Users\Admin\Downloads\Antivirus 2021.exe
  "C:\Users\Admin\Downloads\Antivirus 2021.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3944
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Antivirus.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2760 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1824,i,768080728909232091,12420864910216888964,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2812

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AV Secutity 2022.zip\Readme.txt
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\Temp1_AV Secutity 2022.zip\FakeAV.AV Secutity 2022.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AV Secutity 2022.zip\FakeAV.AV Secutity 2022.exe"
1⤵
PID:2144
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MainWindow.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MainWindow.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:328

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\bd2a7eb0e99d4a38a2716876d54ad55d /t 1020 /p 4428
1⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\Temp1_Avast.zip\TrojanRansomCovid29.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Avast.zip\TrojanRansomCovid29.exe"
1⤵
PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - Modifies registry class
  PID:1436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\fakeerror.vbs"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3060
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:752
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:5080
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:3040
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:1384
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:4692
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1684
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:4988
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:2980
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
        5⤵
        
        PID:4080
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - Runs ping.exe
    PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2288

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1168

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Antivirus.hta

Filesize
662B

MD5
8630fa16691e438e5272f37096806782

SHA1
4d49582d446120da6d7856eba3f486c61692a98f

SHA256
0189de779a96cd4a5b0ce942264ef9d4fc05b7b62e1dde01bac9731d3ada6f96

SHA512
4748c5188e0f59beec03825eede6c143502388dfa60d8d0fca677287e209daf4da5f2d49709f8fb6609576854e47f36483bee54ff2019d6beed568179d602092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
ed8322298d06f491f494f5e8c388e69c

SHA1
dd1c8c0595ce620796e61b7c832127d657b5099e

SHA256
1d64b5180af2d9f5091394e9438cb25adf84ab3073a0d1e6ceb2376a94e77275

SHA512
f79c93c22fb38a2d2a00995b1d0e3944e037c23f11362b8f2468b4d9808c8377b2484831a34e84f2f3d86934d3ae369a635f1459776d4d9b353fb6dc757134d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
49KB

MD5
93ab4cf70b3aa1641a4b258c3fe03f24

SHA1
cba2ddecb8e019e6e5a91dcf867c6d6094f39b63

SHA256
d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16

SHA512
70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
44KB

MD5
24ab2f3a8c26685b6be9d07b5ef7df00

SHA1
cd316ec3208392f5b2846e668337938511998388

SHA256
54364a48157dd6f58c16da41f7cf4e0ea32c2ccf432e5b0623b87223c8c3696b

SHA512
efab865d8590020d7069146b82d66a3e35d586a8672eaa4de3d3cd158680fd20aa7cc4520cae3a59ff10569e1ac9c295c171e27d3f364cf1ef3642cc696b9c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
23KB

MD5
77a781823d1c1a1f70513ffeda9e996d

SHA1
60776ceeb79ed41e7cd49b1ee07b1e09ff846f25

SHA256
b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2

SHA512
9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
27e4cacd09a7bdcd4365277700319577

SHA1
d7ba8a7006e7e8157c3c6a3dc9ca0a4e62df749b

SHA256
9dfa2162bfb41ab4d941bf2fdc7fe90cb8f36287a7acb825fb677ac4a3d267c1

SHA512
596fffdcf012c14faf411a65bfb88de7d53ae27974d7fe9ed47d324b900758a71902f0baa165e24b8958c4c394bef6f02ebf323e0277e706d92034eae00c31ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c37b73f4b174dcadfc0af4877c30ead6

SHA1
b14a33cc027149831adc5ca291fc561394bdcbc9

SHA256
4eaa3cf4b8b022e3e0f2aee7bbd1d601479ad76f3396b6997ec084d905eebf18

SHA512
c1844502d601c1b0a54b99f97ae902f990e1c6f6342e1b80de5888deeb95801c0430effbc7542fa5e3a3d5839f61aefc2c9a615e0a4c4c2068322e8484dd0667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\798a24f1-0c59-40ae-8dfc-454e0b44d245.tmp

Filesize
1KB

MD5
d78d46cc12f3b19006fe1678d505cc50

SHA1
a97370e2fa69ff7ffc138135b32153dcb7dd8872

SHA256
42bb642d90f3f5358fef86dad1f40637c5b04782ef2db889c0d967f1b7bd1fc7

SHA512
9b52893535812ee2280ccb22b140a15ceda0fe489856a6339cb03bb38027a58435aaed7a4baad302117bbdbd1b80e32c6df5d0914f57a655527d95e242b27604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5e6a7427a5a6de8f52f58b19223626c6

SHA1
665d71afef75e7b53f6ec7fcce131bd61218394a

SHA256
825538698ded42d800c335bb90491a0eb7dd9ae58a4fc8e98e6a0c03d66d3cba

SHA512
43c2878ef0139f275c549e9f36516e0b38b73763a9e9df5b1f3c4a203241ec1b7161edcc97748535c7919fc4c438182354048265d545fd10cb096e13e8e86e60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
22a908bcd790d529b809e9c4edf6d09a

SHA1
14337dc16fb90b49535e1083958fbc1aa005d996

SHA256
c96b0a75aae8718b0dbcd4bf625e7b067fba60dfb035f508537b67897759f1d7

SHA512
e16ac4de4e24eea6232de967f3c14297c44f78be227b200a60ef0e995461a729661b7e5c40c8b8a2f0672bc05a6bd5f93a03c3b9fe80d2bbb34c0ebab2e0e860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
36f9719aa4159041c3afe91aaf409b0c

SHA1
66564b51dcd253b7b22745640394d0eead5f78b9

SHA256
654a22c1ad8d1f3b5dffe2b77bbeae73079fdade664bdf7ecf273726edb87585

SHA512
d110e040cdbc299ba8784e39ff752388e9dc45dcfe77f0d2dcf188f2f751f3846ffc31f4266460d709c4ad9f1d143b5bcd7592368d51a6a849da1c1b674f74cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b3bf219ca9946ea2b0a23e043a7d4b4

SHA1
9fa3e2a45b4524570ab2683a6861f631cfee6708

SHA256
76747b3610c1c8fdcbdbd64054e5c810ef81edc2a56a27f3e4376c6b1fa3d537

SHA512
7e3a570ffe90e5672bace6a1136576a4e2bd2ab7c32dddcefd853df8b21923b59e8b5747444681e11e0233cbbcd4e68f682f2a77e565966a144b11063a24ad0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d1e90c86fcc7c36f82e4c6591d0dcb5d

SHA1
1e0c158c08d9dc8eeb0ba3257a22c5d5cd624fc5

SHA256
aea9300a950fbd7a0058df72bbba23f57d5894d74b867c37f14425e8707884cf

SHA512
ee6aa5989fbe8e7cbd1013348dab03a999a14ece56b96c3a56414f238fd0b4e624a9c572bc8ef86c34c4b9af8e042a80f3b19b97c7d40d1e3081308796693ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cecf9379531e6ce3828c9f443f07b3af

SHA1
c6377269b5c0da76c38af45421198a247dd7d21c

SHA256
2e954405dd71dc1338248f7398ba0d44d7afdb1186b984988739a62323430a4b

SHA512
e7d83ca1b2a2586abf136148571d2134a181f2373b5a88d2529b0c6c0b34eae963674f8b24542a2a178bafabfee7372905886f64f8a4467c5931673899130d47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
78085df0fa7c011da254c39c64d2dcf6

SHA1
c8520fc11b74639045510989cff60565ef122fcd

SHA256
3225525c2f9ffe9f2d91575e669ca31b456f59a03fe7a2fa91fcc0055b352d9a

SHA512
08ead0e91cafd936f1c62f9f7fb568500f1ae8027d155347e04a61629e2b5b49c2cbfdaab59f69d804491832732f6ed0f21cf74f9e4585a9e3cc9022e0947cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
508fd5eeb7dd212bfdc0f9773d8eecf7

SHA1
03492fa59d7322e6a0eb1aa0a22082b733f07ade

SHA256
2c715f8a2ce617ce3833978eb57e395915c738755250f197e5cdd26a7b07a84c

SHA512
f6e936a6f73c98c9a53ff507afd321733441688d340005ab980e1bc45da198abdeddf1998b433968e1e4fa6b6fde9c1308ff3bf9fc3928c99245a1c5db3b9e5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a473b87df8c6d9fd7806198412fad2c

SHA1
e17906c76d3d7d510ed18d3384f284cda2f6bc06

SHA256
0c7ba94cd9add37dcd63f903388123cbbf5ee5524b7a426a4be0a2ac79cb058d

SHA512
f7a04c4039013aadf6bf4c1ff8a5d0a03c20d3a8e96ac1bd70cf9e7a2700303dfcaf22f887287d84013fc807301e54ed6d051a9df4b9c580c476b83fda2ff5e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
becc50d6e784da88c79c621cc66c426f

SHA1
9d96d090fff4f061ad9269797de9c1ed0f805a00

SHA256
598258591962087c582b78cb70ad9322cb078c7107231c5ed1bf4260aefbfbd1

SHA512
1a3214f6cac1715ed08b7ec5aa92c7587df04622c0eccef89e30c82369a93b5d7194408820d337af58f74fccebe71a8916e3a7722289cf3af42e2c0a3d809d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1449265c0b935ef3c0e8da312d7fd87f

SHA1
843e63d87cdb7bc26b997402ffc723deb4843f49

SHA256
9a2f007461f84de26e9003d8b03af0b8a9580d4c966ae9e0f5bc6163008ec32e

SHA512
dab905f7d050927cc606e1e76d21f0868dd10b4682e332bb96dfa04203f719dafe9621a4c31b6cf4a74f2f84fb1008b888b19fcc23a06bafabf568ae8888a5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70098319aee2d71c89165f115b05f3c7

SHA1
dfe73ca1aa4866c407734a5a95debc2839817d92

SHA256
fa100b9301dda3d70f4407e255761364b68f7f6255546d24589eb3734da76f59

SHA512
5b6efa9df1fce523c94c5795ba493cf9deaa7bfc28ed0c37c28da37caa083bc31f85316bf897babbcc987b47d69ad76abcd35530fa68e131e8f519f5cac113fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0954f820020c02ed90330dcc0dadb4f0

SHA1
89e3fd8045f907c435e5c8f6d9ac21317b4db3c3

SHA256
a00b6256f207b6ad58f04392db55f1220866e529a12f87f19df1f3e056d37cc5

SHA512
69d75517e038e81eccd7202957d0ba2877bb632e04627815404fd6b32f421fa4baaf65259429eb2649566dfd663d9180cc44386f85f9a0c6159c4791ccd97179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3295e5b14cba20e23415910564b0dce5

SHA1
a8c3a2708a27ca72ff88b9385f5cc0d378df0996

SHA256
df1d09a483e308885960c54dca0d05c327c19142bf111ac47b382cc8bd373c71

SHA512
c8970617040d9fd1ae7008c78729ec3e5c01a206818df5d1359a1348ab0e93d6f146c80090051c136ba17ad80cea55617bc48c43ff5d899836e568ffa3c4dce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
692dc3468151640a3094aba914ac439e

SHA1
4b15bcca74343a86e16efa756641a40b09b84722

SHA256
bac041586b94667e2c7631fa0d5abe149cecf0d7163ce94b04c7ac724d606eb8

SHA512
7db0379931128462bebc23f22f571690454cf4b393b9a86ceda8f44e20695463e4fc0a3b048446b2362440d2ba4f8bd02e3fc406e54b6e3dac650e9dcc09c7e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
4affe64187a3c08da398868ce084bc24

SHA1
7500085ffe70e145c22112c0325f8174342f43ec

SHA256
0660fe2c0ccf9c985da8b35ef731734718e3a5d2d067df28806f1eb7e543c212

SHA512
27a742d808c910bad443653445b3586d50572e6f3d0ed3c60aa26f44adb0d5b02374d9de6eb64984501e073c9f2d0ab91a2bb041ef1a225893dc611f53233309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
c4a29ad16bd3155c75b4325ab94cbb9e

SHA1
16aafd5e7d2791cbeccd6760805f4f43f43d4952

SHA256
d45de51dc4d5d375feada50af5c192748af475463b6890a2ab9c0be9c06cfa5b

SHA512
4c01d70fe7ef7fa68838d6474b182931f8b38945ad05090c888410295771e2e79aae6c4438f9265f7ede5c8716f6087c2df5a393f7a9265c504c07d30e8460b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
ec7d4f8f5f956ab080394df3d58df886

SHA1
d63fd279221414187320afead54a34460bfdf214

SHA256
8e60e041ad8d604423c5da073f2c2238a2036e8e6ad3d92dec4be64fadc30386

SHA512
80c49eafef3698db83dbd8c1b7f66df80baf760410b9fb98c934610d081f10507930ee9822057ed98d579fc9c2fa09cd7e7f7a441d5a8016edaf92827f818e96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583d91.TMP

Filesize
89KB

MD5
d99da9e927e0dbaf1ad115c050488496

SHA1
fc595291820c04d57c2c748ef611a5754909b833

SHA256
2e9f06aa3026299036cc0cc0bbf5f989a805900f5d437da68799ae7c4a8eb17d

SHA512
8e51c85bcd12150b65bff9d7bdc5e2174234b73fdad27f1276419d0db91236fa56269238a5234f93319a6f45c3022fd60f465d71089a1420a3571f6c1bac6fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\Cov29Cry.exe.death

Filesize
103KB

MD5
8bcd083e16af6c15e14520d5a0bd7e6a

SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782

SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\Cov29LockScreen.exe

Filesize
48KB

MD5
f724c6da46dc54e6737db821f9b62d77

SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977

SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\TrojanRansomCovid29.bat

Filesize
1KB

MD5
57f0432c8e31d4ff4da7962db27ef4e8

SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e

SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\fakeerror.vbs

Filesize
144B

MD5
c0437fe3a53e181c5e904f2d13431718

SHA1
44f9547e7259a7fb4fe718e42e499371aa188ab6

SHA256
f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

SHA512
a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\mbr.exe

Filesize
1.1MB

MD5
07209af1e426c67c563bb895ac7cad69

SHA1
fad5f1ed4c864df3d3eaca1faeb10a4aa6dee901

SHA256
17a0e035df1b3fd5db8e24ecf03b787d92b0c52b0c1e7b789bed57f4640743f8

SHA512
64f7cae303be397e0fb880d297f78d69d790f5f1646de78693a81b659d52a668f2b5c035d7b7458bcf1bacdf19dc99284c667d24559a9c38d0d8396b1448f121

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\mbr.exe

Filesize
1.3MB

MD5
616f346b22762cc88e39667b5a68fd9a

SHA1
960e3c53e5ce8d0ef6303670ad2323382f075b1d

SHA256
1d7f4397343ac89502f9021f81ad3d0e1faa7db421ac7c771fd1e382f583fc0f

SHA512
4eaad9d1a07fb87d98045c9a9630c13e600ceb1fa0d83bd4691c15ee05635766fc3f096f4c289abffc39773bd51df2f8ffbea46592f088ba7196bc1f3b9bfb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B5.tmp\mbr.exe.danger

Filesize
1.3MB

MD5
35af6068d91ba1cc6ce21b461f242f94

SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa

SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MainWindow.exe

Filesize
16KB

MD5
10a8f3f50c25a248e2e2b5aeab9bd1c6

SHA1
150114bbabb6e15ca0e961e03c3f5f491864c48c

SHA256
138acf63924e6fd352bf6aae81ddf36602390dfa9af389e05a479282167667b2

SHA512
a355f5f474569a148be5b7bcc68312e5f9b9f190898499ded36834b27ac29ec6d4a9983de02ad8d87051e2ce313f1efb8d6ce6800e11d2f083fccfe6f312b18d

Download Submit
C:\Users\Admin\Desktop\covid29-is-here.txt

Filesize
861B

MD5
c53dee51c26d1d759667c25918d3ed10

SHA1
da194c2de15b232811ba9d43a46194d9729507f0

SHA256
dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

SHA512
da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

Download Submit
C:\Users\Admin\Downloads\AV Secutity 2022.zip

Filesize
234KB

MD5
414d6dcd42d9c8c69fca8fcf2e6099b0

SHA1
b34abd3ba9d74d0b14d086d7f925ac25ee96637d

SHA256
182531206ed75056250038eba0d125965c38a4c1b30b26ef13170c36560cfd9b

SHA512
dd6effc7d85ca989dc3ca5cc8699cba16187d11f0575bc22e7088171902d74461ce986ae983577fe8bf182dea5fec70734440da5cca1b6fec5d9b9de7d687caa

Download Submit
C:\Users\Admin\Downloads\AV Secutity 2022.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Antivirus 2021.exe

Filesize
603KB

MD5
a9781403e2e0f3539b81dbbc4ba52f07

SHA1
cba433e3c7690c1628bc620a43912f06db331065

SHA256
16837f396802d446e72fb4d02c68a2e07b5657e3e1d3d738b79a2c8992ad1ad0

SHA512
6c985a47a7bed1e150cbed5da08cb2528fdf8e5d80a482610ad7fb14d079cb19756872453b23ace8dade982b4979ff885de7b41e798b3d4ccdc957f2564836c5

Download Submit
C:\Users\Admin\Downloads\Antivirus 2021.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware.zip

Filesize
1.7MB

MD5
272d3e458250acd2ea839eb24b427ce5

SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609

SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

Download Submit
memory/752-726-0x00007FFDAE130000-0x00007FFDAEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/752-789-0x00007FFDAE130000-0x00007FFDAEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/1020-710-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1572-678-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/1572-786-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3060-712-0x00007FFDAE130000-0x00007FFDAEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/3060-725-0x00007FFDAE130000-0x00007FFDAEBF2000-memory.dmp

Filesize
10.8MB

Download
memory/3060-711-0x00000000006C0000-0x00000000006E0000-memory.dmp

Filesize
128KB

Download