70971148ed1fadb17a1de707b03b0b61bcf9d523c540b9bf4e411b5bb0dda5f0

Analysis

max time kernel
1808s
max time network
1177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Covid21 2.0.exe
Size

1.2MB
MD5

a7c7f5e792809db8653a75c958f82bc4
SHA1

7ebe75db24af98efdcfebd970e7eea4b029f9f81
SHA256

02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca
SHA512

feb42cc7b4f344c043bda8bebeefa8cbb68406d1e937dcdc5a403981f79587fa438c682c4744a47a77482fc049b0334806d468aeb67edd4a92d90b5acd0c16ae
SSDEEP

24576:kweQ5x+HPXJ9N2qifMpZcu/6z6toe20xYuLFzY77+89J9o2:kwVeHhH2qoMIum62uhY7Kco2

Score

8^/10

aspackv2 bootkit evasion persistence ransomware upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x0007000000023226-79.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	Covid21 2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
4892	CLWCP.exe
3564	Corona.exe
544	inv.exe
228	z.exe
4284	mlt.exe
2456	icons.exe
4340	screenscrew.exe
4100	PayloadMBR.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/memory/3324-0-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral8/memory/3324-37-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral8/memory/3324-94-0x0000000000400000-0x00000000006CF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8388.tmp\\PayloadMBR.exe"	PayloadMBR.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PayloadMBR.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\clwcp.bmp"	CLWCP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\clwcp.bmp	CLWCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	4100	WerFault.exe	137

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1720	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1900	timeout.exe
4312	timeout.exe
3204	timeout.exe
1384	timeout.exe
4312	timeout.exe
1568	timeout.exe
1732	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4600	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\MuiCache	SearchApp.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1812	reg.exe
4784	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4100	PayloadMBR.exe
4100	PayloadMBR.exe
4100	PayloadMBR.exe
4100	PayloadMBR.exe
4100	PayloadMBR.exe
4100	PayloadMBR.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4100	PayloadMBR.exe
Token: SeManageVolumePrivilege	4264	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 968	3324	Covid21 2.0.exe	91
PID 3324 wrote to memory of 968	3324	Covid21 2.0.exe	91
PID 3324 wrote to memory of 968	3324	Covid21 2.0.exe	91
PID 968 wrote to memory of 1612	968	cmd.exe	94
PID 968 wrote to memory of 1612	968	cmd.exe	94
PID 968 wrote to memory of 1612	968	cmd.exe	94
PID 968 wrote to memory of 4784	968	cmd.exe	101
PID 968 wrote to memory of 4784	968	cmd.exe	101
PID 968 wrote to memory of 4784	968	cmd.exe	101
PID 968 wrote to memory of 1160	968	cmd.exe	102
PID 968 wrote to memory of 1160	968	cmd.exe	102
PID 968 wrote to memory of 1160	968	cmd.exe	102
PID 968 wrote to memory of 4892	968	cmd.exe	104
PID 968 wrote to memory of 4892	968	cmd.exe	104
PID 968 wrote to memory of 4892	968	cmd.exe	104
PID 968 wrote to memory of 1812	968	cmd.exe	108
PID 968 wrote to memory of 1812	968	cmd.exe	108
PID 968 wrote to memory of 1812	968	cmd.exe	108
PID 968 wrote to memory of 3516	968	cmd.exe	109
PID 968 wrote to memory of 3516	968	cmd.exe	109
PID 968 wrote to memory of 3516	968	cmd.exe	109
PID 968 wrote to memory of 3972	968	cmd.exe	110
PID 968 wrote to memory of 3972	968	cmd.exe	110
PID 968 wrote to memory of 3972	968	cmd.exe	110
PID 968 wrote to memory of 3204	968	cmd.exe	112
PID 968 wrote to memory of 3204	968	cmd.exe	112
PID 968 wrote to memory of 3204	968	cmd.exe	112
PID 3972 wrote to memory of 3564	3972	cmd.exe	113
PID 3972 wrote to memory of 3564	3972	cmd.exe	113
PID 3972 wrote to memory of 3564	3972	cmd.exe	113
PID 968 wrote to memory of 544	968	cmd.exe	115
PID 968 wrote to memory of 544	968	cmd.exe	115
PID 968 wrote to memory of 544	968	cmd.exe	115
PID 968 wrote to memory of 2360	968	cmd.exe	116
PID 968 wrote to memory of 2360	968	cmd.exe	116
PID 968 wrote to memory of 2360	968	cmd.exe	116
PID 968 wrote to memory of 1384	968	cmd.exe	117
PID 968 wrote to memory of 1384	968	cmd.exe	117
PID 968 wrote to memory of 1384	968	cmd.exe	117
PID 968 wrote to memory of 228	968	cmd.exe	120
PID 968 wrote to memory of 228	968	cmd.exe	120
PID 968 wrote to memory of 228	968	cmd.exe	120
PID 968 wrote to memory of 4308	968	cmd.exe	121
PID 968 wrote to memory of 4308	968	cmd.exe	121
PID 968 wrote to memory of 4308	968	cmd.exe	121
PID 968 wrote to memory of 4312	968	cmd.exe	122
PID 968 wrote to memory of 4312	968	cmd.exe	122
PID 968 wrote to memory of 4312	968	cmd.exe	122
PID 968 wrote to memory of 4284	968	cmd.exe	123
PID 968 wrote to memory of 4284	968	cmd.exe	123
PID 968 wrote to memory of 3196	968	cmd.exe	124
PID 968 wrote to memory of 3196	968	cmd.exe	124
PID 968 wrote to memory of 3196	968	cmd.exe	124
PID 968 wrote to memory of 1568	968	cmd.exe	125
PID 968 wrote to memory of 1568	968	cmd.exe	125
PID 968 wrote to memory of 1568	968	cmd.exe	125
PID 968 wrote to memory of 2556	968	cmd.exe	126
PID 968 wrote to memory of 2556	968	cmd.exe	126
PID 968 wrote to memory of 2556	968	cmd.exe	126
PID 968 wrote to memory of 2456	968	cmd.exe	127
PID 968 wrote to memory of 2456	968	cmd.exe	127
PID 968 wrote to memory of 2456	968	cmd.exe	127
PID 968 wrote to memory of 1732	968	cmd.exe	129
PID 968 wrote to memory of 1732	968	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Covid21 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Covid21 2.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8388.tmp\Covid21.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\cscript.exe
    cscript prompt.vbs
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\CLWCP.exe
    clwcp c:\covid21\covid.jpg
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\x.vbs"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K coronaloop.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - \??\c:\covid21\Corona.exe
      c:\covid21\corona.exe
      4⤵
      Executes dropped EXE
      PID:3564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\inv.exe
    inv.exe
    3⤵
    - Executes dropped EXE
    PID:544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1384
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\z.exe
    z.exe
    3⤵
    - Executes dropped EXE
    PID:228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\mlt.exe
    mlt.exe
    3⤵
    - Executes dropped EXE
    PID:4284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs"
    3⤵
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\icons.exe
    icons.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\screenscrew.exe
    screenscrew.exe
    3⤵
    - Executes dropped EXE
    PID:4340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8388.tmp\t.vbs"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\8388.tmp\PayloadMBR.exe
    PayloadMBR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\8388.tmp\PayloadMBR.exe"
      4⤵
      Creates scheduled task(s)
      PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 468
      4⤵
      Program crash
      PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4100 -ip 4100
1⤵
PID:1732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:4328

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4fc12050-8f0b-45a2-97dd-b3955e8fe2d7}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
bb3efc4678c65bea22cf9b1000554d6a

SHA1
bcfc7c481d46e96b3ee85356345e2c9c627c9fc0

SHA256
581e702dfc5b28e4878b457eb9b75695edd84284966323b3041339fca3abeeee

SHA512
048aafd9c02154b60a8f8bc68921727f37cefa683954cbaec183615b4b1fc5a5dd4ac5f79c97a802888fce45be09d16fc19d8a8048b45ed75f38371f703b92cb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4fc12050-8f0b-45a2-97dd-b3955e8fe2d7}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4fc12050-8f0b-45a2-97dd-b3955e8fe2d7}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4fc12050-8f0b-45a2-97dd-b3955e8fe2d7}\Apps.index

Filesize
1.0MB

MD5
5f7c5e66ba315e514d545000d1641a5b

SHA1
82d79c776959637af65ec3928e2f216db5691843

SHA256
2a3056fde926e91dce686884443cfb34c7d62d2c3cd9cb35dc125b739bc78f1c

SHA512
959751adff1ac5d8026db50163a679e459484d76f98880cb7e9ede3b17e606311fa6f212eba88253ccea924222c7a6b0e505c83a520b0be303db687264ceba97

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133542278454260051.txt

Filesize
74KB

MD5
80dffedad36ef4c303579f8c9be9dbd7

SHA1
792ca2a83d616ca82d973ece361ed9e95c95a0d8

SHA256
590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e

SHA512
826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
16KB

MD5
6e9417fab63670b6403ab18e0a742dd7

SHA1
e6290f5eba7f22edc2edeb6094f34a2338df1207

SHA256
69f2a01ce4cf39ddbcb51962eca00683121566ff58bbc39e8ddebb34c151357d

SHA512
9c74d34b8d1468e8b2595bc38144af34fda5bec255326965f8aba217b0ca8085f60d339c50870b4a88698cc477c02c5b41d700464b8292063fa2d3fb5627c5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\CLWCP.exe

Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\Corona.exe

Filesize
519KB

MD5
6374ca8ad59246dfed4794fd788d6560

SHA1
d54281430ad11272f657de4e909b4ba7b8561821

SHA256
25b6f4abc0b8a7a3f3cae54a2f75810b977c0f5ed20af98e77be9449e7135108

SHA512
0434f5c6ecd1a036a59e2f5de56f0905460d46c31fff6a7f160f54cfbcb56ea2da22647d564e53d66c47a789a67d165c59e64d924b0f2cf80fdcd865847a772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\Covid21.bat

Filesize
1KB

MD5
6b89a7fd6e3d9bdc4658162aaf468558

SHA1
f8ef11b2420b95661565b799d86c188bf11bf4a7

SHA256
76986cddbfeb8fa8738c8ca2665a7f91d19d1e8c6851151fcba5164e35618dfb

SHA512
f9b3338b65d5ca6cc25b1c36b2c3299d758d5e7ac92e6fd8d0298f945e898c51e548323f86a12983bb375e49404cb6b401f5472bbb580a6675df57277045ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\PayloadMBR.exe

Filesize
101KB

MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\coronaloop.bat

Filesize
48B

MD5
08437e731c7b135b3779b004c7863e5f

SHA1
24ce5d4075fdc5afec6cb87cacfc7b54deadc3ec

SHA256
043b49fbbe070997844a2c4467596553261bfb6ea79ac3c50fabd42146eea924

SHA512
6006014b10f400b6975b391be64e07e78fe5a3818cd39a0a8f9349c4cff595134fb5217beb5205e04eab86473c4fa0f6701b657d76c144540aa468d2d382c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\covid.jpg

Filesize
166KB

MD5
94ad752abc09644d0b91a07022ecb000

SHA1
7ee97dc56e62e7b2d86ee892e7cf70673252242f

SHA256
e3760c671cec108580d47b0f8c11ae79e9df9941d2e878032eeda1b510f91231

SHA512
9c0109a8e7de5ea42b3ce8788a412f6ed1158afd3db87884034631da15ec4c16275f0578c6ad438e91dc203c89aef725d2642e06b751df5cff0d47b3d9a1ad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\icons.exe

Filesize
105KB

MD5
3ca1d5768c2944d4284b1541653823c7

SHA1
85cf021ac23cd1340c6d649e6a77a213c1f848b6

SHA256
4172c6120f8f98685698365d6dd52c80eb2080203cdde479009bf8f4fa770af0

SHA512
7972adb329dbebc347b8a68789bbac4ba7c230cc980910d18a322d1a512015633d2a5801e76c0aae2fcfe120790c69417864549787dfc37574fb0aa3bfc202f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\inv.exe

Filesize
359KB

MD5
ebb811d0396c06a70fe74d9b23679446

SHA1
e375f124a8284479dd052161a07f57de28397638

SHA256
28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89

SHA512
1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\mlt.exe

Filesize
130KB

MD5
a4e26d32f9655dbe8efd276a530eb02b

SHA1
d194526518fddd34bfc75cc0575d9b5cf3e1e304

SHA256
4c2277c81cbf6c415ab874cfb32d3b0049c8b18ac7eee1dd6c1f5d9f5f043c83

SHA512
e77c58b321a1c696554b018cc51fad2f2df4bac39fa90f17a83ec646c90d67b6da5fccb2e80c468e2cf32cc7f9f3f62b160c3f0afbc2130faa1002ecde5b5676

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\prompt.vbs

Filesize
188B

MD5
82c0a5e92259ff193b914e6c0d7c8a7a

SHA1
ed6868eff7055555689e613a62f4275eafa97c36

SHA256
02e3663bb7bc9f8fe4377887dc24e63fc83187be9cb0181f87e5f93af4c7ca8b

SHA512
43c1ef453531200dd625945a65727daef28ee480fb210e97846633841f8215261e3195a8be77c280e8b6fe193b59c7367302c3fc74879b5952fa31f3235ddb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\t.vbs

Filesize
60B

MD5
ee0306a79aaefbd4cf3bc7e5f8a0d3b1

SHA1
32dae2cfb0af831f0e8445f36c0d2ce0fe9b2e88

SHA256
969ae83f1366975bece266c3be5994291c55302e93564a1435fe542b456904ec

SHA512
fdfab128f4f096f4b4dd31758116522337644f269cb28e1496e20d866083bf31d277a123704e8924a0fc4ef0212cba89e3ab9fddcaffcf400c859c8df87736fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\x.vbs

Filesize
79B

MD5
7740551865a57633b3e92986352dfa1b

SHA1
74070b3636b69b710c32996fc1640129202f4caf

SHA256
8a36ecc37eb454fe13b4b31eb9eda67919aa5dd3a474480930982ef93334499a

SHA512
b4c5902f3ca91fa83ec0297254acf5f63b2145500863afb86f96b9c2d3844c8c476cd0f6dd31e3eb92c4aca2cd35c2f6be563549817b676fa9b4592f280c79f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\y.vbs

Filesize
24B

MD5
5ecb02eaaa322be4df7f61a1a23c799d

SHA1
bec83a2546f38a7133ef962d09cd520f87e5abb2

SHA256
d78710d080d6200bff04d443f8fa923f619914fb191dc2b3865da1f3d9739e30

SHA512
2306f4fc08e0aefe4a44c4507e46ee2d3d808423ec8d31980980f785e20c0df301a9b3d9a2469d609e054d5a8ac4089ac39ffb388b70ed8a36f688b4362a2f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\8388.tmp\z.exe

Filesize
412KB

MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
memory/544-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-101-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-136-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-130-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-61-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/544-125-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-119-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-113-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-143-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/544-107-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2456-88-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3324-37-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/3324-94-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/3324-0-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/3564-54-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3564-67-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4100-100-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4284-81-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4340-96-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4340-82-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/4892-38-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4892-35-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download