Analysis

  • max time kernel
    71s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 12:58

General

  • Target

    https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/Covid29-Ransomware/Covid29%20Ransomware.zip

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/Covid29-Ransomware/Covid29%20Ransomware.zip
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c4718
      2⤵
        PID:2060
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        2⤵
          PID:3316
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2764
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
          2⤵
            PID:4108
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
            2⤵
              PID:3656
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
              2⤵
                PID:4188
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
                2⤵
                  PID:1628
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3960
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                  2⤵
                    PID:3984
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
                    2⤵
                      PID:2452
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3472 /prefetch:8
                      2⤵
                        PID:4844
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
                        2⤵
                          PID:1460
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1252
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
                          2⤵
                            PID:1564
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13096272314883155607,5190374165375919480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
                            2⤵
                              PID:4168
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3812
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1436
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5236
                                • C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5444
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C033.tmp\TrojanRansomCovid29.bat" "
                                    2⤵
                                    • Checks computer location settings
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:5616
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C033.tmp\fakeerror.vbs"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:5708
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping localhost -n 2
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:5724
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5844
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5860
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5876
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5892
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5908
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                      3⤵
                                      • UAC bypass
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5924
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                      3⤵
                                      • UAC bypass
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry key
                                      PID:5940
                                    • C:\Users\Admin\AppData\Local\Temp\C033.tmp\mbr.exe
                                      mbr.exe
                                      3⤵
                                      • Executes dropped EXE
                                      • Writes to the Master Boot Record (MBR)
                                      • System Location Discovery: System Language Discovery
                                      PID:5968
                                    • C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29Cry.exe
                                      Cov29Cry.exe
                                      3⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5996
                                      • C:\Users\Admin\AppData\Roaming\svchost.exe
                                        "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                        4⤵
                                        • Checks computer location settings
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Drops desktop.ini file(s)
                                        • Sets desktop wallpaper using registry
                                        • Modifies registry class
                                        • Suspicious behavior: AddClipboardFormatListener
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3628
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                          5⤵
                                            PID:5556
                                            • C:\Windows\system32\vssadmin.exe
                                              vssadmin delete shadows /all /quiet
                                              6⤵
                                              • Interacts with shadow copies
                                              PID:5700
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic shadowcopy delete
                                              6⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5944
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                            5⤵
                                              PID:6008
                                              • C:\Windows\system32\bcdedit.exe
                                                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                6⤵
                                                • Modifies boot configuration data using bcdedit
                                                PID:6024
                                              • C:\Windows\system32\bcdedit.exe
                                                bcdedit /set {default} recoveryenabled no
                                                6⤵
                                                • Modifies boot configuration data using bcdedit
                                                PID:2336
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                              5⤵
                                                PID:2792
                                                • C:\Windows\system32\wbadmin.exe
                                                  wbadmin delete catalog -quiet
                                                  6⤵
                                                  • Deletes backup catalog
                                                  PID:1184
                                              • C:\Windows\system32\NOTEPAD.EXE
                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
                                                5⤵
                                                  PID:2364
                                            • C:\Windows\SysWOW64\shutdown.exe
                                              shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:6024
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping localhost -n 9
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:6092
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /f /im explorer.exe
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5252
                                            • C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29LockScreen.exe
                                              Cov29LockScreen.exe
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:304
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5732
                                        • C:\Windows\system32\wbengine.exe
                                          "C:\Windows\system32\wbengine.exe"
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4052
                                        • C:\Windows\System32\vdsldr.exe
                                          C:\Windows\System32\vdsldr.exe -Embedding
                                          1⤵
                                            PID:4184
                                          • C:\Windows\System32\vds.exe
                                            C:\Windows\System32\vds.exe
                                            1⤵
                                            • Checks SCSI registry key(s)
                                            PID:5320

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            dc058ebc0f8181946a312f0be99ed79c

                                            SHA1

                                            0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

                                            SHA256

                                            378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

                                            SHA512

                                            36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            a0486d6f8406d852dd805b66ff467692

                                            SHA1

                                            77ba1f63142e86b21c951b808f4bc5d8ed89b571

                                            SHA256

                                            c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

                                            SHA512

                                            065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                            Filesize

                                            261B

                                            MD5

                                            2c2e6472d05e3832905f0ad4a04d21c3

                                            SHA1

                                            007edbf35759af62a5b847ab09055e7d9b86ffcc

                                            SHA256

                                            283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                            SHA512

                                            8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            1d5514bc9bd5089688381a7d1f7b1df2

                                            SHA1

                                            d33968720c3118a8d9cac4150b917524e2a58bb4

                                            SHA256

                                            9104385aaba41347da7fa0c2af0b219a52b7bae7c2f3ef2c8c42a0ebc55eff15

                                            SHA512

                                            3eded7ceadf19cecc1337fd1a936a737f0d2c08333c917e4c98ea3cc3d95aacb2822726f4c64218b403005d6ac45b115937967e594eb06f77161da239c8f65f7

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            61406e6fb56a6e660efd2399325a2952

                                            SHA1

                                            2a81e2fb7bfe7c68d538fa3baf0437df207cfffd

                                            SHA256

                                            14c54582681abd9e427ceccb5662d5fedc0c07a5e6936a34e1c5facad79d3d41

                                            SHA512

                                            7c5e5a41779fa6c5d46f2a36d545c4de566e08ae970892ee8d0ca0948f1a03f002bd8293c143b7d938cd24f8fcf4309704fee4142f962faa97a88592dd816335

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            10KB

                                            MD5

                                            356364bda6d670a550a889e816f261af

                                            SHA1

                                            1b5fcd2beab7f2c2d33a9e1935589bc889d936c4

                                            SHA256

                                            32cfa015f7a9d8ffcbaa6141829fea48921b0645727137b3d1d79622071ec054

                                            SHA512

                                            1715b896def197fef04ef937d6e0f3aa9f39495052a49d93257a163042e7cbeaaef80b971a8a0dd2d542468499d82ee6f80726a60933bbd0cec67a770c18bcdc

                                          • C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29Cry.exe

                                            Filesize

                                            103KB

                                            MD5

                                            8bcd083e16af6c15e14520d5a0bd7e6a

                                            SHA1

                                            c4d2f35d1fdb295db887f31bbc9237ac9263d782

                                            SHA256

                                            b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

                                            SHA512

                                            35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

                                          • C:\Users\Admin\AppData\Local\Temp\C033.tmp\Cov29LockScreen.exe

                                            Filesize

                                            48KB

                                            MD5

                                            f724c6da46dc54e6737db821f9b62d77

                                            SHA1

                                            e35d5587326c61f4d7abd75f2f0fc1251b961977

                                            SHA256

                                            6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

                                            SHA512

                                            6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

                                          • C:\Users\Admin\AppData\Local\Temp\C033.tmp\TrojanRansomCovid29.bat

                                            Filesize

                                            1KB

                                            MD5

                                            57f0432c8e31d4ff4da7962db27ef4e8

                                            SHA1

                                            d5023b3123c0b7fae683588ac0480cd2731a0c5e

                                            SHA256

                                            b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

                                            SHA512

                                            bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

                                          • C:\Users\Admin\AppData\Local\Temp\C033.tmp\fakeerror.vbs

                                            Filesize

                                            144B

                                            MD5

                                            c0437fe3a53e181c5e904f2d13431718

                                            SHA1

                                            44f9547e7259a7fb4fe718e42e499371aa188ab6

                                            SHA256

                                            f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

                                            SHA512

                                            a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

                                          • C:\Users\Admin\AppData\Local\Temp\C033.tmp\mbr.exe.danger

                                            Filesize

                                            1.3MB

                                            MD5

                                            35af6068d91ba1cc6ce21b461f242f94

                                            SHA1

                                            cb054789ff03aa1617a6f5741ad53e4598184ffa

                                            SHA256

                                            9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

                                            SHA512

                                            136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

                                          • C:\Users\Admin\Desktop\covid29-is-here.txt

                                            Filesize

                                            861B

                                            MD5

                                            c53dee51c26d1d759667c25918d3ed10

                                            SHA1

                                            da194c2de15b232811ba9d43a46194d9729507f0

                                            SHA256

                                            dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

                                            SHA512

                                            da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

                                          • C:\Users\Admin\Downloads\Covid29 Ransomware.zip

                                            Filesize

                                            1.7MB

                                            MD5

                                            272d3e458250acd2ea839eb24b427ce5

                                            SHA1

                                            fae7194da5c969f2d8220ed9250aa1de7bf56609

                                            SHA256

                                            bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

                                            SHA512

                                            d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

                                          • memory/5444-68-0x0000000000400000-0x00000000005D5000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/5444-172-0x0000000000400000-0x00000000005D5000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/5444-179-0x0000000000400000-0x00000000005D5000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/5968-100-0x0000000000400000-0x00000000004D8000-memory.dmp

                                            Filesize

                                            864KB

                                          • memory/5996-101-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

                                            Filesize

                                            128KB