Malware Analysis Report

2024-10-19 07:15

Sample ID 240913-zb5j9axdmk
Target https://github.com/pankoza2-pl/malwaredatabase-old/tree/main/Covid29-Ransomware
Tags
chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/pankoza2-pl/malwaredatabase-old/tree/main/Covid29-Ransomware was found to be: Known bad.

Malicious Activity Summary

chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Chaos Ransomware

UAC bypass

Chaos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Uses Task Scheduler COM API

Kills process with taskkill

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry key

Modifies registry class

NTFS ADS

Suspicious use of SetWindowsHookEx

Runs ping.exe

Interacts with shadow copies

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 20:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 20:33

Reported

2024-09-13 20:39

Platform

win11-20240802-en

Max time kernel

235s

Max time network

235s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/tree/main/Covid29-Ransomware

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-6179872-1886041298-1573312864-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\A28B.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7bwgka39w.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Covid29 Ransomware\TrojanRansomCovid29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A28B.tmp\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29LockScreen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133707333231612020" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29LockScreen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4148 wrote to memory of 3740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 3740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 2128 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 2128 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 1104 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/tree/main/Covid29-Ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4ba1cc40,0x7ffb4ba1cc4c,0x7ffb4ba1cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1748 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2084 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2336 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3104 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4652 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3532,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4804,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4724 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1000,i,8842683910209296677,7865641287033414892,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5208 /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Covid29 Ransomware\readme.txt

C:\Users\Admin\Desktop\Covid29 Ransomware\TrojanRansomCovid29.exe

"C:\Users\Admin\Desktop\Covid29 Ransomware\TrojanRansomCovid29.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A28B.tmp\TrojanRansomCovid29.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A28B.tmp\fakeerror.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\mbr.exe

mbr.exe

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe

Cov29Cry.exe

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 9

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29LockScreen.exe

Cov29LockScreen.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
GB 142.250.178.10:443 content-autofill.googleapis.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
N/A 224.0.0.251:5353 udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 142.250.178.10:443 content-autofill.googleapis.com udp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
GB 104.86.110.112:443 tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
GB 95.101.143.182:443 www.bing.com tcp
US 20.42.65.84:443 browser.pipe.aria.microsoft.com tcp
GB 23.213.251.133:443 cxcs.microsoft.net tcp
GB 95.101.143.185:443 www.bing.com tcp

Files

\??\pipe\crashpad_4148_TBSOMITNREYRWMUP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 a4cd4da8695d8b8f8aa89e1858afda89
SHA1 908b41b9d150b9de8dd1cb96e3f08dfa9c4a7e11
SHA256 102776f02eb3c1451509e7a128fe86807a93de4e629f0d4bcdaf1891e51f249f
SHA512 38022a715f156df47ce5f19a4f05e5033a93819099cb83312615a0931b46054157864b395fa3ceafab0ea21ea23e3689b827ba1768eabfc826f36eabe8558103

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 37caea604b383564c1aa99b6bff420ee
SHA1 f78d84ae94ba5b6479ea8a68becfb72b4be97db1
SHA256 5b4fb33aa7de3bbde8b8213ddd7b0921d2d3971392a4524a7263e5dee352afec
SHA512 36a7a6540a017ad3e52e5d011eb8aaa862de87bba735761fc05be0952d4e6a2444c72c936a2cb02414427fc9e4f8cb0ee21c7473372399e04295f1459f3b0668

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bc7274f7a6a9e1490918ffbca1aacb82
SHA1 0f8be0e7477bca3fd3da1402f3527718ea92cd12
SHA256 6cf6294bff06f70080504f81421ee4490bd387c2885686048340f78a2c4a9bd3
SHA512 1be7357bceb75e25fedeb549c9be711a2f3cf263bc26f6f59d7209127a4ba10eb5f22d5cd5691745ca4cbeb715dcb0c5020c817f559f8eb60ecf243486ee586f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 632f03311458c38ee806078260d21018
SHA1 d01cf4c185818cb7354953be28fbc9c78c58a722
SHA256 5896910dca0c32dc02a88054e3e87a416ff6586df64eafd0f7adf15c31f7619b
SHA512 c7ca857892ec7fe3af9b411654047c7e624e32274723068c374b78894f535cccef85f153bba09ac05c5a5baa537d260994d1d336c07920f4b9451e552e56c4f2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 77cdfd236e8d67ba26c983408872cfcc
SHA1 9bcc36ba498823d40ba9a2e8bc9d3d4f573f5985
SHA256 069796b6f0ff0a7ab27d220afe1339a68554e696e270ac99e3c10fda750a63be
SHA512 868ce7645db63951a5222e37a87c945a5b7b6280f42f6d35a3f9cd7b1b93145041f46c73ab9d8aa32c500a6672c2f1665b2a93a8fb4a8c77c6a6302947d03350

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d56088dbb891a10ba1598822da42e376
SHA1 1937a6dd7c0b26a4fbba8e3b1d8b389cdafbdc2d
SHA256 8049959c602e36df027aeb8ecb5fc429921b8d276408b0f2623c5a0d62556ac9
SHA512 6e46aa8906fcad639841ce21111977b67b50cb0e8643a1b5263c602b2d2fe51be5f4dc5ec081f2a47e4525d96da1af09aa5aaaa755debce9cb955be1c5a2e47d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cde79ac375ec203a290cd78304cdefc0
SHA1 ccb131a2fd93f3a9f716fc07c7dea3b317e56f42
SHA256 b306368d23a4d18df5d5bf834b61edbc097676c2d9829246f6bda9481107b5bc
SHA512 81528388b7dc82864a4d7fbcb12bec9185a12328d7822e9799a253f6dfdf3fd324cbb5318df5b715d1eeb21922889370792172b7fec526732b8f9ad9829a036d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7e2a1a61e36f76591f80bcbcbafd4797
SHA1 2312ad8e51d4629ea8f936e5385f7775d6abd264
SHA256 63526e2524cbaf50b348feb85d108810157ecf3f15415ef9a853ddaff2badf4f
SHA512 25cf383416c36d664fa0a378d04230ca5421d62e1fc4ceddcb80f081e738460b405f45eb2e9752ae7f6fc5bfeb96a39aed1c7a7c9a954b8872af9246a714b558

C:\Users\Admin\Downloads\Covid29 Ransomware.zip

MD5 272d3e458250acd2ea839eb24b427ce5
SHA1 fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256 bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512 d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier

MD5 0f98a5550abe0fb880568b1480c96a1c
SHA1 d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA256 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512 dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2334f48b6c0a537b9a522fafc75f993d
SHA1 c5c0b896d0572f73977ef8c20e6b7115dc2bde4b
SHA256 e1a40ccaa28ae559b1fca62b79bbcea053b088d047050312ecef6a38ec71e281
SHA512 78058ffcb77d021376b2abacb86c0f406afcd600d4b9a7407c90a703cbda10bbe7ae9ab29e587a0970997667d57d615a4a76b323f0e7a354d3fb547aab6d9849

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4476456dd99fc4f58aaea44cdf000b53
SHA1 5335d72dfbfe53465d247e005c607e4f8ce79862
SHA256 ce07754d62b675b5a107a6192513cb6a249b3d6a193f009d189b958474f99c36
SHA512 c237d494ea3b29da157b37a2fea0e24929dd33a636846a8050757728907e5d1a01d9e7b779ed780f90a061552a6b9af3ce416e685362e91c9e7ae05c1adae586

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3c7e9f92a695310189cc69c270c94578
SHA1 4f95a42ff290c9991daa4ed73f34838cc05e9249
SHA256 1e913a32038b2741b47936adfc42a8f53e367897c6ad57b777f1b9bee940f3d5
SHA512 31d53a5196489d2606309371b1ac73d51a375a4abef2a59847cf10cc4b0cd80941b7356d748e22a0bc8b5178d47756ff35a7e9206d551fbe45ff05fe85b7e4e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d635a0c6082a50f1f04f87998fc644d4
SHA1 fcd41998432e24cb64b76ed7f0a6ab9f85f5c73e
SHA256 47313188845eff9a2ea67f6b51ee072640b05d1378b5382bce9b129ec7da7d47
SHA512 615124d0169efe9ba76c2764c28701f9fa1e79fee26ed780248585d2b3b1242b86a269cae0c90206c38cef8398e83dcda29ec8d76655431879880f48aa7d9a1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 864512a51626b84258059f0d559f1e6e
SHA1 ca68889f2ef60a1d1ae74ccdb18bb59d858800c9
SHA256 a7aec3e99cfead3fdeaad040eef02995ba18852065f56e115f128a7defa5e508
SHA512 0ea8bcd7d20e1a55ef20c45ffae2cdf62bbb1d3382e300b4dee065f50734338d4b4bac0a0917d829f5a08947b428c6f46960ab63e8b991cd80320f6d5e7270bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9be442654766b332cccae196ddfae2d0
SHA1 95a88efea45a8c13843da96d8a9421a7ad884086
SHA256 414ae8b8fb56ab05ba7251b515fc56f2ed9c219f38c2968812c4d7076442afaf
SHA512 054be76bb04ea881b6d1b2c46488dd3fbf095ba85173cce33d1d2df0d522bb19c4d71c542043cdf4f2ed9c8fd4b92620816bd55a1beaec7944bbc52eaa82b036

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b05d80579822d092594dcf077ad41817
SHA1 dc039f11ee2a60d9cafec3d70b3f9287dd0b89f6
SHA256 324fed2675a6602d866b608e185d4be666b22d081a4be0b6851d019256038063
SHA512 78a134ab247307cb8826ec7c4a6854dcbc679f108a7cc1dc51d744cc0efabe2949d57a7b1fa825b0ab9220ca283406ddb04ca06bd9b932fcfabf887a07dbc73f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 eeaeb9b04f56a2a13b1c1598bf476418
SHA1 07074997d945edce6352b2252cf0234027882106
SHA256 7e1cddb6d3c1adbf3d260333fa7a2939e530ae25afe318182797bc3cdc630b9a
SHA512 a6aae40a3815fc7ab017ec5b7ccac2500dd9d5853e078e0cf27530f50e94672697b49291adbd1a19b821c4376ee4d8cd750154e7a48c2381485d60933e5a9991

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 956e9d4c4a93af1277cac79090c28b2a
SHA1 cc5cecee6ce7754512f4deb8eff7d00bb5ff87f6
SHA256 065edd013ba7bf61730bd89c05f261873ffe91782032f4e3499058a21322a3e6
SHA512 d5745290a8773d548d26e8060e67f13acb7beba6e680ac8bf1d121f7bf2cff997dc0e8af3ddedaf8f55598f2aad1058764ecea00961586f16c2af182f9b1a091

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 effa46e70734dffe54d33e36f20dc0b6
SHA1 7a4bda5ef1fb4a723b755e578974e5ac29bdf101
SHA256 4622e12c88175f8addfabb5f42ca6a4cdb455df246c66ea2bc5c340bca46598c
SHA512 1369e653ed67d26788646a22c80f1e1e1ce3e20336409abe49bfd75ff7de1134b51134acb5cf9492c9fcc37af61a83b621c435f0844ad0964f6c22da95b59a8b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 5f9fb304556322f748fcc13f3cd167a1
SHA1 f3b2120712b619f88631655cab95804e8f758ae9
SHA256 5509637103d6e054af9050dbc5276a93a987f4611a6c407c7203e5a973474270
SHA512 b838c18115e1cf07163153e16487d45a3c989625bdbdc9a9bc888473fb3e8261b313161b76a332486c464ccf25c566e952e54e5700b6fb5edb5df1ec3ac30332

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 565c6712aaa14ccc6ad4410e740c5ecc
SHA1 628783382d154365dc145d064dd3d76c05115b8e
SHA256 4050bc3eff96e9e9b653ada610ac27a8477d8167377028635b8671f96de5a5be
SHA512 e686679fda71cf64294c246396e98c9e680ea6aa339069ca0bbf43c3b07c18660705949f4168d7a51a396f6219c09873ab7e434eb0c532ab248a1e884ba17961

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a782bb16e840dc35e5fbfa543f90361b
SHA1 0118451cea381c815c44f8b10a6345527c54160f
SHA256 6b2296869e545e0c16794b5651ba940a79eae2d43e9e8e3842ea30f1d2843c30
SHA512 012bbddace42175e15d6287f8b606088629a48c9a30dd89a4728894b14423ca3d8efee74f98aeace6b71dc4a3efba92b6892097d2961be5f45501eadc22cd939

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f6c677ac6587fcf48616438bebcbb949
SHA1 8111e7b541acc952b1e4694c0ad141ba692af51e
SHA256 2b360aca1eb17b6eb0ab3461b8268da2cf498636bbae132a817920cab7409a9f
SHA512 911894dbdff41b49ad124771e8d1148ceefae655c611596dbc766d329c40173beadd019ecf6b0e084b64bf686d88b28fe1a953e4b6c1ade9197241dbe2168291

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 47d5ef9b63318393aa3b986bd1f0de5c
SHA1 aae11b89cf72ad87f5731f45519b3f48efec24fe
SHA256 271961bea9c4c548787aa9c5dbc7b985ec11564db080b69ee01f8e763741fa57
SHA512 ce0ee5a8d0229701a67f057c0b1dd0f814378cbacfd1fb629eada99c35c32d8b10e39f340c2e7b39d5049628a2afba5ef693041c480d966c9898f4f0b16926ed

memory/2960-391-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\TrojanRansomCovid29.bat

MD5 57f0432c8e31d4ff4da7962db27ef4e8
SHA1 d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256 b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512 bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\fakeerror.vbs

MD5 c0437fe3a53e181c5e904f2d13431718
SHA1 44f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256 f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512 a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\mbr.exe.danger

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29Cry.exe.death

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

memory/1448-423-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2300-424-0x0000000000590000-0x00000000005B0000-memory.dmp

C:\Users\Admin\Desktop\Covid29 Ransomware\source\Bat To Exe Converter\covid29-is-here.txt

MD5 c53dee51c26d1d759667c25918d3ed10
SHA1 da194c2de15b232811ba9d43a46194d9729507f0
SHA256 dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512 da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

memory/2960-513-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A28B.tmp\Cov29LockScreen.exe

MD5 f724c6da46dc54e6737db821f9b62d77
SHA1 e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA256 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA512 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

memory/2960-520-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 68517822dbbef06db71ef56ef93fe1b9
SHA1 824da75193dd79fe9dbc03699575bf59e8ae6757
SHA256 0160921e3137dc33038fd787a78ac6d603d15306a4aff7f733b25e9875ea8051
SHA512 78897ea15ff44af93883df4fb03a5394327caeb41c86821b3b16c5a1e312e0fbc26defced9c44107bc3fa249759c759fb68eff2937707283e104c3d0ec943c1a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ac65049bd9355f987d54d12e61295fe1
SHA1 1041b4f49916cbc60f053895fef62c342294781f
SHA256 bbd14f52e6529575e6efcb4bdf749553c688576614276be38a97afd6f29e4a46
SHA512 9c40b1a46333e7a3c838dbbae85f02ab8b7237d141a75fe0e4031eed84cc3e0294f47d141617f865a65f8747a221f35fad71e680c57b1a262cbfcc72f8440b43