chaos | hxxp://Google[.]com

Analysis

max time kernel
1454s
max time network
1463s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-04-2024 19:34

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T19:59:40Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10-20240404-en/instance_11-dirty.qcow2\"}"

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

chaos bootkit evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ad5b-1175.dat	family_chaos
behavioral1/memory/2928-1183-0x0000000000700000-0x0000000000720000-memory.dmp	family_chaos
behavioral1/memory/3684-1193-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/3684-1198-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1676	bcdedit.exe
4032	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3248	wbadmin.exe

Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
632	mbr.exe
2928	Cov29Cry.exe
2464	svchost.exe
4676	Cov29LockScreen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3684-1150-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3684-1193-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3684-1198-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1739856679-3467441365-73334005-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
464	raw.githubusercontent.com
465	raw.githubusercontent.com
86	discord.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nw7o35vzw.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1120	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3040	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580289292678467"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	svchost.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
796	reg.exe
192	reg.exe
2768	reg.exe
3568	reg.exe
2880	reg.exe
4216	reg.exe
2468	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1064	PING.EXE
752	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2464	svchost.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
696	chrome.exe
696	chrome.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2928	Cov29Cry.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeCreatePagefilePrivilege	2836	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe
2836	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	Cov29LockScreen.exe
3028	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2856	2836	chrome.exe	73
PID 2836 wrote to memory of 2856	2836	chrome.exe	73
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 1596	2836	chrome.exe	75
PID 2836 wrote to memory of 4488	2836	chrome.exe	76
PID 2836 wrote to memory of 4488	2836	chrome.exe	76
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77
PID 2836 wrote to memory of 5112	2836	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe1b289758,0x7ffe1b289768,0x7ffe1b289778
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2704 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2716 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4684 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1528 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2716 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4600 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5312 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=896 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5316 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2948 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5744 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5348 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5136 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5312 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3932 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1748,i,4523168390546836272,2843352418238677817,131072 /prefetch:8
  2⤵
  PID:4684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
PID:3148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"
1⤵
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4C15.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - Modifies registry class
  PID:3028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4C15.tmp\fakeerror.vbs"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - Runs ping.exe
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:192
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3568
- - C:\Users\Admin\AppData\Local\Temp\4C15.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\4C15.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:2464
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:168
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1120
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:4964
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:4020
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1676
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:944
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:3248
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
        5⤵
        
        PID:816
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - Runs ping.exe
    PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\4C15.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3872

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3afb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4054d729-5094-494d-accf-daf2ad77ead7.tmp

Filesize
136KB

MD5
4dbdfb7b224ef025f757307846621a68

SHA1
984d45c21c2d2b85032f87b168d7569bfbfc492d

SHA256
28daa99566f4c8d2abe1c28b278c4032341e0e44ff4ac04ad434892c95f890d1

SHA512
0f598d89276a13049264d5f69a729fc966b848030b257d69590566b3c52b57b674d5f6a6c244cc123cec929e9ac37d7b858772f6e0934591f593d49ee900a5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\983ec572-cc7f-4bec-aac9-fbe1685e7d71.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
1024KB

MD5
4c854f6a720679c21e3dde00ee038b9e

SHA1
72e1207b3bc3c6ac1c1979feb2c125f4c78c9844

SHA256
c238d5a6a17192cf7addeec1c10ab944872755ec0418ff5f7e60fa69635a2f3c

SHA512
ab4c7ae50bc4797ffe8886ae48041896e02037a8588bb3be7eeea500531943c07dcd9135111d0583eb203a44a14a0332ce46e7b21e4580b309f24bcb5c3eadb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
1024KB

MD5
05ef52ddf5cbcf0991218279d6f21845

SHA1
6bba1d2495eed4daf5c0b8667223f828a37bb44c

SHA256
a38e2ef831702d04bd041b662b5213a25fad56dc630786e8829516f1eba2f7aa

SHA512
d6fae391e4a3c86217ed96e1bcc47ca4f84208c2f40e89f9cc684c81d0246b1ddf56db98468e19a58dd9aac22fb3e28cb043584d229249fd85838a0d1d04b81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
1024KB

MD5
bda6147b324f6d1c522cc7e379f2fc82

SHA1
2b7b81867e20e91b91868eb1d48cae5360dd1a86

SHA256
4801ba71eddd7737f7f4f6fce6e401890cc10829d3029ba654b9057be1950d9a

SHA512
422a2919b134443dcd205998794375a9de1574cefbbf1d9e5f2a3e040e9adfc934234f976e79cbecfe3232095746b0a1353a780126450a818f15a13d4f1a1d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
733KB

MD5
46b068660e469e3d67cfac9c4db6048b

SHA1
143b88c463a74e5b138472a459d0b5040c7cc66a

SHA256
d1dde8d3e590ebabd307729c2d5b3b110943a5d4489833f26aa9fd28b10af05d

SHA512
6a2e1a7d442761299e8d6c3bc2eb5e7de57cda18135e8a958e06b4fa5823ce159b370899ada04b39b3ec640714c33af1124105be40680cd810ba82ed5c00dd27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
1024KB

MD5
3e72cb741014136dbd20dc2baf81213f

SHA1
b85b1a405d5cff6f0f54fd5333a180401462c947

SHA256
cd08af323a47c3b3a19fdd4734bcd083dfce9d0b6bcdd5552bda710fb90028ec

SHA512
f352e1c56cdc21f3c0e94cc087a8dad28cea4c1ee0f98b4ad067d3cd17a431a4dcb41f7e17c1b50abc2cbe88df48a6cb45b0b187eb08661519f1809fb9c2c434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000067

Filesize
21KB

MD5
0e847f027fbb082006fad9238ccb706c

SHA1
ba6ccd3676f25973e949c155c0e0981f0e63f07d

SHA256
b4048e7de781dbbe04d9d3abe217b66f7e199b52e694c94c267a644c7cd99f88

SHA512
a539fe2d5b0b9adc07deaff1ab01a710604cefc08fe875047f2d2214b37bc6de26d0a4724c20d953dbb15c8916c93da114de00ccd1b7c9bee01994cb23cb3c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f7b532fe183a75bbb402d57dc1320828

SHA1
86bbb019b444a4327ec6e5aa2d93cebbbdb0a31f

SHA256
670e2c3a213ca0e6741efcb068b62dbd74f84aa501e218c7a542263ce74da016

SHA512
732ac4b395f9ae3df5feada3734c0170198fb15578cc2b519eb6e4d1817344be987fab6db53294f86043556b9d52bc0868a0a40330857c7f307da2b5f4c9a12a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5f0a9a05d59ea41147dbebe7d26cf2d7

SHA1
fba23641313963511487d8af5ee78d7e98af1236

SHA256
1a8b8d146a5542b0babb793bb6726e586aa9da8fd20578ddf67cacddaa84793a

SHA512
2700492111451c1e949a897b2d11606fd379fb6cdcb1a0b7e09862fb91e2c2ce622138b0e902e2bbde634030a7ced520cd7b47ab699f7bfed62202f3b4cc63be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e002f4bf62fe83b23856077ac0223e3

SHA1
1378ccd9e86119ec41376ca5221a4b676f573ea8

SHA256
c8e148649ff32888c8bdb9eed590953dd6c0a1a555a621de218d44be97c91132

SHA512
3eed55306782a3b73cd681cf404cb84ce2a0cc41f65e657ff97f26e8c8cc9a1feae5fa39a340c182137da4a58349a9ff132174537fa81bc4b9c3716d12da8601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
da0c531192cd71f76103f8ffe2bba0fd

SHA1
72cae3a9a1e3506d8148f229f9f76ba2007caaa1

SHA256
432b9646d896d3df6515e4305e24ca3d47e4f92fab966d49916c9712d5c088c9

SHA512
c8590e38b99b9869f2f9d67232183ddbbc3b28d1507cf90587ede02fa8f84845a7e1a8dd22e52b6361c0fca58f1d8a61d7d0c6df92d96c71049a30055d51deef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
beb5f91ae0f576bb28cfa224faa4a8ab

SHA1
84c24e4aa34aff128b0315448c1fb2f0891d160f

SHA256
b8df2eedee239a60295d83753b10fefe8ebb71e0b9418824710fa808cdc806b3

SHA512
4a7e3139cc6f02b49948116615c0e8c478e1decf33b8b05a837b2988270c64ad48129cc952127d96a9edde30da50f57919b9b09c6c844478585518625c905507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_now.gg_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
24e81e2c073817321605f87912f5644d

SHA1
eacdc62bec7ea78d9ffcf96de5ffb68f7d7d2f8e

SHA256
7174a9114aa97c6c33013b313b20d63c5635d62fb327b75bac2dbb297e8dbacd

SHA512
6610ada29ac9109fa9e59bae54878eb180b04fab4f840a2b777dd1129099963b4d7daf86271ea34f01bac2ca92a2fc2b54277fe13cd893755f12263d14afc0dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3cbde300256e3b2767b20c7e4e798473

SHA1
1fce3d0239c7a318a5fb3cc3c2f382770db0c1a8

SHA256
3bf3cd2ac46d5ba9606bd3a3842d4fab9236515d489984d8a3a5f9327c7db0fd

SHA512
c2bd2ccd73c0dead62c8d797175fcc32d47548df188fed0bbff0048ffc50a22d0a1ece2c6efc5a434edeb8f188e70b7c5770868127195b0ec12b7207113e443c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c8327ebed80d5be68971ddd63ff76f4c

SHA1
d52121b294d6e6c4668ae61b0dc36858d2325975

SHA256
d7b694e1096cc61add531c375fc3673a33e4f89586d5d51fd3dced56b483dae5

SHA512
dab33fc7123aa5b4219278d5139415ebe4d73950ff9269c08d3c2883f2a11e802731ec554e74302860abbe3a9b7f31915ab6aadc62ae29d2fb85bd4125852d30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
e4b6d13afc2a13c6595face880de6734

SHA1
738814b53a4cef58859746c1ac2bc403450ebe9d

SHA256
7185547787a808adc5a70771ba15f30c4fee7c9a0bda2b7e6b856a30e3b93e90

SHA512
2f4c4283a44c8aeab3908b7588b5b6a4ca2051c8571bd427f4d37c51447656ed741d7fe55b74af3e5ff28559ecaad961b6123b6a41c365845fec62afb0efb3c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
dc1d2e36c8067bd79d48141d07e1de18

SHA1
a87ae0e7b215cfab82b4d5034f13b966196073b2

SHA256
add86b24f84ee0c22ceced09f0efd6aa654cd8c0203e546046c3edd83bd49ced

SHA512
9d66567bbfc67269979a49c0baff7d06cc262057565596bf663a9cc09513fd6149ff75cdc8f5e86af2067ebdbb735fae9bcdcd865205c716e957c447859df4a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
6ee5041437aef5b6acc6abf47bbbb8ce

SHA1
c82322de8f62c51fea85bf1bdf9c5585bf4231b6

SHA256
706538a5d109beb982add340816059a0a4ab03d56a9777262601a1c4697a4db4

SHA512
1d12e1d0a4748a57df8ecc46b984855dbabdf15a8fdc0b49b428fb09951cc609f1151c947e28a001c5a23f59c2e9c30320f68614bef4e4a473d7829c17120287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
965fc4c6a23d41b71a33adb4ec33180c

SHA1
29e23fd3e84e795c38f6c0c2f4df70f215e20422

SHA256
0e04ead025984e47a4e79a1b149438852b7f5296fed20ec3ba291241abd2976b

SHA512
617ee0f857155c6b3d094517c5558dc348c9a8196f9617783600b48fa61f754e1a4d7fba085ee6c4261b409a3c1d2b9eee502d757ed8e88e0645dbe95d0c8899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
2afa07aae9d26e0f363f17a98018ac3f

SHA1
4b4dd95f4b8870a9e15cf18ac3b7c9ea0c66df64

SHA256
eb916172dabc6db4432e3d3a1c6f3f1bc147d8d1821b910f898b458efdffb4a3

SHA512
7406c644155e903326c57dc6b0e754594e09455b3c388d86125e96a40e88260d2cffa24657570e19c2c23b55b766463286bee6c6ad03518a9f28c13ffcbd5e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
b63bc3a5b0e7d286867468a9f8ec87a6

SHA1
a179e83d8e3e2563f5bb9d8c3cffb161d818749e

SHA256
ed823045a99bb9cfb19828bd3c9e70264fa980efcfb9ffd5beb729c35d7a25d1

SHA512
3103bfaeacee91fc1a3392f59d993ffc5ab9282085b5e7ecf191f39f64114f11c4ac341cace6e458ab155e9fe7a854e20da863d9c627ef9616aa29be8aff9f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
ab121cae6537bcf99a7da76c48926500

SHA1
aebdf0a69dc582b53e118071c6d0cc2acd6cb7ff

SHA256
06cebd715e3981fbadf78923c167fa79601f61b38e4669b283ff5296c908ca75

SHA512
f69cc1ba04804ce4c910b603a1679d00d705609964f8fb0307cc67f99ff1c80a49b1d29ccecd48cb3435cfd2edfac54a60682c14598cdca2577ab174524873f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
a71fbc720c6adf8795d6f21ed67fd24b

SHA1
a5f6b49791b6a942f4fe970634c170e4ea27ce90

SHA256
8577f3410c56216068ba7cb6ab9d73c9da247b0fadd91ee1e3217c93e101178a

SHA512
9af4c0ba8eb86ac6e80b60fec466dde8e66339d9a574f24c6c1945197ace5e387a31cef6a42fa329358b080d1e632f8fc3390839ed08c2eb8fc4b1c667280f41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d6d7ae70a6a588577de5ad7f2958d37

SHA1
37060a362af7473e55bba08ceeb123d352a0ff0f

SHA256
5359f5b8af065d9b220478d8ddf203f8ebc2502bcf6975234f9dbc4a12e0f06a

SHA512
acb52a8c39e955166b622cb143c6925a349d2e858fd6918de7e9e2a96cf53a4a08d8d60f6ae96186ef25b9435bf561c67eccc5f6cddbe8e13b48a99ee00752cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b565de5cb63174f618de4679436ec221

SHA1
602518070cd094b8236f180870be45b56b91d270

SHA256
c041d888672a682d4cead02cf9fe873730ab0ede1890e4089b83ea5a0c2fd3e6

SHA512
43408f85a0d33effe4dd81232b86670491559b59c2f816ec59f6448fc7a62f04c54451369da65e67231df02860f8294fe2986adcce3bc058d7175f2097b0a09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
63a5782cb88533b50414330b06fc5b45

SHA1
7c7d88484f66fdba4d55f646e5183189384e05bc

SHA256
6f6871fddbba308b0605101fd1f3709503f857a4131b970688583b00aad5c5c8

SHA512
145921a2741b660e3de0b76615c1629f7b3dfb1e77cde24b587a671e56a4ca7d74f591838ef5d620033d0fdedf3ee2d055833fcb26cd0274ce81d20b64ac9815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
fb36882a797d3fd75e00cad7182f38dd

SHA1
b07778dc3dda623faec7aebeaf4d3f9370a47f6f

SHA256
5bd52e85a0b1270face937178efdc9b3c51ff1fc12e682c5d56f25cf867abb59

SHA512
7f956fb8778390c6b018a01b156307868f651751765cc85f393c8331a012f37618d33f7541429542f7ceb6caf84da83218de135fac7e08631bdda060f76cf990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0ebe3d4d0e45b567cfd8e3daec033f6

SHA1
497d8b0c20ddab811e41d8b1d87c86be8dcc30b9

SHA256
602fb9ccf094043165accc7be42fc3fe213dfe13e64671ef6e3b93ebaf8f5d67

SHA512
e43d5707a85d8b469528da6ff3cc8e54a8188c551dab4045b84b0d5065158bb56585ce12d4a2fe093dfcc2798c86165c7c18558245a6241ef531f66c4476a366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7d77b81fb0c86624ce403c2cd15f52fa

SHA1
94d7e660df0c442e5f896411dd65c5725f831d72

SHA256
a9a35218637343f89bc4d02ebcd483930999c61efe7dfbe43dd6ec0784277729

SHA512
e9398906d7af6d1d9c6281e7ad3add629fcd5e28c84ce044192aa9c9e483c1dd626c9e2612a4657d419917f2ef0fe0382a80881c947b6004fdd0d0f40f9fa22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7aa744190c849344569dc640829d5c24

SHA1
c7faf5cc0f4d47627f5253cf3a7cb5437d0814bb

SHA256
929733103049bb730eaa2896cb78f8403b3d2442f5ad1864013758b125bba5f0

SHA512
1dba01be094f433eddbca667b34b8676ad726987f1e5154281b6286429ed86ae65afa2154a5bc841d519a55e0993362c39472c7d22aeaa4cdc3a2ca69aa406d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
539c591c6df21396e3e4ef70a78922b1

SHA1
196f7a090288520e3342896ddd4b33596ed6aefd

SHA256
9333b8e3a82dc450064243d567012a25974c8911800639cfee25a98f4faf9f62

SHA512
cf7c765e9ad8b42247f74e33a663851b8d6e24d174dc1c11f38bc797101c7334c7cbb6d97a57d3c34d604fb0efc1cc825acda82bb9a7f6a6db1bf815f4313cd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b7815e61537130c22b2bf7397ff4e754

SHA1
95fcf5b1b156c7d592dcd54bda2a9736286a9db1

SHA256
fc6f8669970ee1672e675084322411277641c1291a121fc727d5329d1248d553

SHA512
f222c21d32260567154114eaf44011cb130ac894d4b7d81ad60337ce102a2d43176e21d2406141e9384cd95f599825baab8ff3672742202836fb350a3842a23d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
05cfc18e6f5e16518ce88955011cbd3b

SHA1
6b1e7d4e34ff7717223626587fc00554e62f2a8a

SHA256
b0ec362d28038ec24ddb4ba14504ed7281639b7080b2deaf0c7d438d7ab51970

SHA512
1b7c44850014cbc429e0259fe11dd8c20a28dfbd42f4e47326a174a31c6eeac76d9e16c7142903356f2f678a63a370e64b1419cff47771ff60e5d8e28b835126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
245c8ae28ea2a0a259ac69e0c1161819

SHA1
54257a9c6798878f3e3f16e61504b7110d226adf

SHA256
6c138a16d367834edf2382ca62e5370983d6daa56d55ab8832674cc92c71ae9b

SHA512
48e0574661167b739b2a1a7a623055846164cdd8dfb893ce24e8dc87eaf5f685111ebf1c56806e7092e9f0e17d04ab0f6787c9088a589eccc8d961933f2d826e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ceb6e6730cd08acc4a4255e1ded50e15

SHA1
9de5491905487c9cacb7be49826d53bbd0df32b9

SHA256
d99fa12327687faa35a2add92c9f450697d28ed0dafb8afee57fceed8b085325

SHA512
9b0800cd6bb98192368cb8ce06b20346d7fa3c3795209249d6c6e39e3ccf86c338a14896974b99f4498672f259d90a5bc334c5454a2cff47234c544067704bd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b6048f8f1789f2651779e597293759c

SHA1
af30efe11d131acc2f1c121a2076ea50b0d96eb3

SHA256
a427a0f5c8039fb4b5abfbb9900da89b59818189bd0d855eaac9686b7757987e

SHA512
ab48fbdd6f41a38f82441115ed581ee90668cd945e5366195aa334cb15a053807e026e3988e2088e66e223e54525449939616f781e54c447f010c5b76846f656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d461def73a31530caf468572572dcd4c

SHA1
3affb7d6c37eba8bd5ab7ce8b30f7b0db0b45f4d

SHA256
48dd101da0f608adc41066697a5f3e205dfe51d25d85ad0ec6174456755d6fb3

SHA512
bb63261d6ef1369060f1aa21ab8f35bf3869871c441e56d5a48ab5f89c0f869756cfda6bd5cd35468fc6da4026b902f4803d4ff90d8902072f887dd41efdcbdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
105603425a97756adba88bc2cfb4f0dd

SHA1
3d97f9ffced00906197013c161d3f6766389b8ba

SHA256
34a050f2cdcccbe20bcff18624119c53a1182525564916a56033d2d97e127394

SHA512
f330d58ce0f50e5a958494408a9f48a2bfd7318f15525ccfbc012b233029abf3426ad11c61d0be51341c8da33ad7899d5735b431adaa7722d96349bf8c412a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
83288deb5c06140c295c6e1ae1ac28b4

SHA1
5e889ff4c3fa538a4b6b0eda2828d8dbef63f8db

SHA256
0827c3e5ad2c764e91910449e422e60a95c270d500479b39e4f4ac0c8caaf0f7

SHA512
998580bb9668cfde9be6d7b440989019b1ee8759c88ffb13603de50cd44ed85278aa135833a2c97cbb5cdd9a8a8397260023df2093766f79ecff64d0ebaa7f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6785bea509081a0eb3abc56a68668ef

SHA1
6d34243bc8a9192cbbce94c4cacbd5ac0a193b7d

SHA256
7201c365647f103d8023d633bed4ee8142f8bc25092f189afe4b53b068db0e00

SHA512
99357cb6c4427118bd043cd59fec89f9aac9999976ff0c90912ad4434083224579da31de0b6bc549a86ee8564a077a965eeb67aeca6976881e047d5714aed030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
14ec79bea5eb2dc58242336d8e12da72

SHA1
6b0cef3d42d8e6baa7d55163dd1cf8cf19ab8a69

SHA256
33219897fe10bf6a38f982b6c9fe39a12b1e758f0e4a475ce0443ac595802d2f

SHA512
f0b833155ec22bcd49aa15aeda72e2fbe756e4984b8a6f51f1a5a5ee589e1b41a90e070c505048bcb47dfac5fbcba22da94df1c291bb310861f25272666079af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6f5a2ee0ce9c9379d6e956cbd6b80364

SHA1
6db4e9f8d011f724c695c3b6132cf0b5851c23f2

SHA256
ef9fcf3c6610fb66c8cf5479a63c3163f754a35c141425822099f19f20d021d4

SHA512
f45a76d66888655345a2d61fae2e1c8d018f4659cd462eca7ad82cf73162a07a6b361251c3db99fcd90379dcd2d1b670be848b3e857b47d0774939888859af7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe683fd5.TMP

Filesize
120B

MD5
8060c4083a148ac04249e6c7ddc52b9a

SHA1
f8f2d5e9a2f9ead1aaac0a906a17e2315d7fcb9e

SHA256
173e2de029d60a44e28323d4d446b1ba97eedfe0bdaabcd45342b46ea403cd97

SHA512
8e391df6169b3f1d2cc90d227d7c127eda214548e6a6218e2ba7bf9375b2af6f649487e9763e55ce1ea69ee62d175526e9bdca228c075d0fe282abac0f3d774d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
d1ea8118446da72ff1e828b781656492

SHA1
b97e99fe49198b88f8fa57c73f27717ccb942430

SHA256
533e336b1d3c31291df432946c5b2bff7e044d690021f112068ef6d77720ba77

SHA512
d6fe82877c8b1a29c99f68a743f77999306c750ae6835b80eeb82bcd329daa591c6dfef012a1f046d18c1a9ba0d9df9ffb6a253908649fdce9f236d5bf6da094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a4df209b6e6595852a2f97cf278b9701

SHA1
f31b9709524da0aecd812377d347a85ed190111c

SHA256
9365a4a6cf2aebde8b5af298db2fc3fc654a57895a14103d3187cdb7f3eaa732

SHA512
2681727bb7465d61e35095be54952d6c459e5a10df450f8c85629e648176dfdd18be35e63476c3632dcebd4e8b37df7fa29772091d7f3a29b35782635a894a1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
3b11cb66caffaaef90ca02d2b59868c1

SHA1
43eeecf9dc3242f103e3bcef739104a7a7ce653f

SHA256
7d647cef69363710f5a0d460dbaadcf859bedd74491d52da8fc2f5cd179426b2

SHA512
db2ce501492f0306bfc99335dc31b85ad62d56b5a9ad979dce452d667e4fb767ba678632058825d9914cae921e03b24cbc37b69f89a6cbca41c7aec387161360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
506f20693ca9e9a7414f13b3b3bf50e3

SHA1
73a8454bc1a817604b521bbfa5654478e9a687ea

SHA256
b7760d4ed465d8e1241a63f30f123f8b4ecefcb47ffe2c4bcaa173732d672c43

SHA512
3343531db49b95289218effa826f5c5cb16f7214bbf1adf2273221090d4b1071857fd2a404149099f4d5f12e71a44b7538b25bf0648fa79865f991b44d7c9357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
602a7f818c71e4c5df213984fce9c6cb

SHA1
bd753ada97de06e81469ff5b0ed76d309b5bf091

SHA256
58e91cef1f559fec0df8449cea0455b94af024334ed8ae22ae4f10a367e1c5b4

SHA512
3042993f49ddcfcf6b8dc2f5ebba2c0c34501c34bb9e101154a583de33923d0a6e870b02f79769ebd4e284068b8aac2f6e13ebfb0c993cbd8969c515961d42d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
2c63905911c8fd43bc470da468c704eb

SHA1
9cacd3609681de979b9496230fef42350f15fb84

SHA256
eca33dd6fe3f0661691b586c53618b03b9d170596459599fbfcdbd5ba90c1780

SHA512
6e69edfb695df8f88b22efb00c24a425faf706b34fafd83b6c460f87f47b2a3c533cac59dd4ff3912804bcafa531ea3ed82e84bfebe5aff93a8a3a63af4bee53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599b8a.TMP

Filesize
92KB

MD5
f27b73371a83e176ac31f22431ae8ad3

SHA1
2c2223c79bf4ae70db9f835d39761262d2bb4fa6

SHA256
dd3b2628ff7a5098c9dbe29c48eece5c85fc5d3f198b27cded5323dd4d466f40

SHA512
f8eb522496f33edbded1cee77c3478306a4a20a3cdd680da7cf8efd4f315dc6cc7fde34a46317d9e235195b0cff0ff4f6ab3b067e65392daf9d16490408d3289

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C15.tmp\Cov29Cry.exe.death

Filesize
103KB

MD5
8bcd083e16af6c15e14520d5a0bd7e6a

SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782

SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C15.tmp\Cov29LockScreen.exe

Filesize
48KB

MD5
f724c6da46dc54e6737db821f9b62d77

SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977

SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C15.tmp\TrojanRansomCovid29.bat

Filesize
1KB

MD5
57f0432c8e31d4ff4da7962db27ef4e8

SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e

SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C15.tmp\fakeerror.vbs

Filesize
144B

MD5
c0437fe3a53e181c5e904f2d13431718

SHA1
44f9547e7259a7fb4fe718e42e499371aa188ab6

SHA256
f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

SHA512
a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C15.tmp\mbr.exe.danger

Filesize
1.3MB

MD5
35af6068d91ba1cc6ce21b461f242f94

SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa

SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

Download Submit
C:\Users\Admin\Desktop\covid29-is-here.txt

Filesize
861B

MD5
c53dee51c26d1d759667c25918d3ed10

SHA1
da194c2de15b232811ba9d43a46194d9729507f0

SHA256
dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

SHA512
da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware.zip

Filesize
1.7MB

MD5
272d3e458250acd2ea839eb24b427ce5

SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609

SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

Download Submit
memory/632-1181-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2464-1263-0x000000001C200000-0x000000001C300000-memory.dmp

Filesize
1024KB

Download
memory/2464-1192-0x00007FFE0AA60000-0x00007FFE0B44C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-1382-0x00007FFE0AA60000-0x00007FFE0B44C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-1383-0x000000001C200000-0x000000001C300000-memory.dmp

Filesize
1024KB

Download
memory/2464-1386-0x00007FFE0AA60000-0x00007FFE0B44C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-1184-0x00007FFE0AA60000-0x00007FFE0B44C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-1183-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/2928-1191-0x00007FFE0AA60000-0x00007FFE0B44C000-memory.dmp

Filesize
9.9MB

Download
memory/3684-1198-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3684-1150-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3684-1193-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads