hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

03/03/2025, 18:11

250303-wsrsyavlz9 3

03/03/2025, 18:09

03/03/2025, 18:07

03/03/2025, 18:04

03/03/2025, 18:02

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

aspackv2 bootkit defense_evasion discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
66	3356	chrome.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023e19-391.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Covid21 2.0.exe

Executes dropped EXE 13 IoCs

pid	Process
4116	Covid21 2.0.exe
2084	CLWCP.exe
4736	Corona.exe
3440	inv.exe
3580	z.exe
4696	mlt.exe
3180	icons.exe
2304	screenscrew.exe
2728	Corona.exe
2404	Corona.exe
3820	Corona.exe
4336	Corona.exe
1020	PayloadMBR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\967E.tmp\\PayloadMBR.exe"	PayloadMBR.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com
64	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PayloadMBR.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\clwcp.bmp"	CLWCP.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023df3-217.dat	upx
behavioral1/memory/4116-238-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral1/memory/4116-290-0x0000000000400000-0x00000000006CF000-memory.dmp	upx
behavioral1/memory/4116-411-0x0000000000400000-0x00000000006CF000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\clwcp.bmp	CLWCP.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3464	1020	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Corona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PayloadMBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Covid21 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Corona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLWCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Corona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Corona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icons.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Corona.exe

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
2672	timeout.exe
4440	timeout.exe
2088	timeout.exe
2120	timeout.exe
3928	timeout.exe
3408	timeout.exe
2684	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4736	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133854985541142601"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2876	reg.exe
2304	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
1020	PayloadMBR.exe
1020	PayloadMBR.exe
1020	PayloadMBR.exe
1020	PayloadMBR.exe
1020	PayloadMBR.exe
1020	PayloadMBR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe
Token: SeShutdownPrivilege	3576	chrome.exe
Token: SeCreatePagefilePrivilege	3576	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
4836	cscript.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe
3576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3164	3576	chrome.exe	89
PID 3576 wrote to memory of 3164	3576	chrome.exe	89
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 4304	3576	chrome.exe	90
PID 3576 wrote to memory of 3356	3576	chrome.exe	91
PID 3576 wrote to memory of 3356	3576	chrome.exe	91
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92
PID 3576 wrote to memory of 668	3576	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87ac2cc40,0x7ff87ac2cc4c,0x7ff87ac2cc58
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2360 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3712,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4992,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3304,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3228,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3208,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3164,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3236,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3256,i,898962977021986634,11831566254738987163,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:8
  2⤵
  PID:3548
- C:\Users\Admin\Downloads\Covid21 2.0.exe
  "C:\Users\Admin\Downloads\Covid21 2.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\967E.tmp\Covid21.bat" "
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:724
  - - C:\Windows\SysWOW64\cscript.exe
      cscript prompt.vbs
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      System Location Discovery: System Language Discovery
      PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\CLWCP.exe
      clwcp c:\covid21\covid.jpg
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2304
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\x.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K coronaloop.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
    - - \??\c:\covid21\Corona.exe
        
        c:\covid21\corona.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
    - - \??\c:\covid21\Corona.exe
        
        c:\covid21\corona.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
    - - \??\c:\covid21\Corona.exe
        
        c:\covid21\corona.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - \??\c:\covid21\Corona.exe
        
        c:\covid21\corona.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
    - - \??\c:\covid21\Corona.exe
        
        c:\covid21\corona.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\inv.exe
      inv.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3440
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\z.exe
      z.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3580
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\mlt.exe
      mlt.exe
      4⤵
      Executes dropped EXE
      PID:4696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3928
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\icons.exe
      icons.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3180
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\screenscrew.exe
      screenscrew.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967E.tmp\t.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\967E.tmp\PayloadMBR.exe
      PayloadMBR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\967E.tmp\PayloadMBR.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 528
        5⤵
        Program crash
        
        PID:3464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1020 -ip 1020
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d59bd0da8bb60e43476b6c8b5d73e8e3

SHA1
7d9b11751c74efd3fe137ea806e958bf087b46a0

SHA256
07dc4eeb50b639cde87a0cd3cff556b25815d2ba8241a8f4b4c78fc6858bf7f5

SHA512
afa31f5b7c7e1c02ff24da3f635db55320235853c7672eeac9db855c9423ef45f662219d1d62362f63d40119a3e2ac67656d7ffcb68c7d298be9b39090f95d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
07ce06ead103cc6f4d0659315eb9c1f6

SHA1
0aec6518121bc0421a11f47be99a82fb24e3a3dc

SHA256
1aec5ddd1a0a2f300fad3274f7d55425f0527485cc0abdec0ef9bcc194134982

SHA512
50758e8d679775efeae9748d96145909fd2b1d85f3f5a1d823ec9c385a46ef2f4f9f5107f43e02289bb70204281e0694074cf3808e316a06834a85cf50042911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
34c09c18471065c32d2668f6d8275a77

SHA1
065fee423ca59b17c88e9b7ff0ee9fb4bd2bbbc3

SHA256
1c47b0f6cabcd17c9e0f89ca0d7c5528827733f0c7064bf672cd0ec1f7972a89

SHA512
281a8e2df0b224f4248d4d6b08647427921bd1dfebee8613549d306094cf6542d6e6ce12bc55c776988337a4f54fcb085c5128393c60d31ef8065e06462aafe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f5e2283dc746afe7a82027f3cca7d47f

SHA1
6258f6b6363fb887f0065ddb97a9d31133e2543a

SHA256
d4f8d41d85422341ea0aa0288862e5ebe71cc4ff53c596d69b3cd9567388086f

SHA512
cfe244829dbb5e7b6c71cb712e2c5a4cbbdf2c602fdf92302c96cc17a08095488f887f58a49707552f3809b82bd343e8c485710269d14a4473b138d9002ac9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
10b3f4254bee0c8e644e5dba2eabdddb

SHA1
d336b7ec42323016caddb71348e43394c5d33f86

SHA256
72d67ce635163e884cd82cd0eaffdbf237368b467c05b9a7694c6b11587f9e1f

SHA512
b0c0323c7fc99ea0a7320a5602740b1e23ceb5aa93ecb1f5b31bcd1ff275c8593e31b11375a4aae989ec32f25bff74f6f49b067980418ffc4434b4d20826b4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
353f955a4f529873710a91db0de3273a

SHA1
f3fd767f1a667bc55e16dd1ec42749e94aecd5a6

SHA256
2cec6e84f6bb31827b5c4ad6d9288692b6d447edb816e9eea9e9b285f18aa996

SHA512
0b0e99712bba163fd49fe79f40e1a7998614c481233acfa52d72387ec098a857d3a06fac36cc22fef6fda3dc272c7a9ad10d25782918aab6d4f669174dfbf71f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2ff8f3ea49617e8d382392596806ac49

SHA1
04e665c1b51702b14d1d3e23ac385b6ebe73b3c5

SHA256
3a18badb2cfb51b82386300c75a6905cc4a4f89e431d1ccaa73da449837a38c4

SHA512
685f704606bbd4d48300480904e6deb20b6cb58958ff05302cb627c658d5d6b8d896553c097c1e38389b8b92dad2d4fc3c34db6883ada9f903acfa300189f23a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96fc500f5692add0f82795a8562da6be

SHA1
b5ac893b0a150d812c5048803725f035ead2d398

SHA256
c27e7fec2722bc2cbc23b498ec4b1342939de3ec3a95b6bef7ef2114692cec00

SHA512
58aff40a17d4c1a2e773542ff23bb9a84c9771b5f533eef0e2c87dda7002b8ecb43e0e29a49fbd60c0084da20bc3cdf1f26993b430e946f60436228873804244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
adf7c1923f25bd7be86ae32bd397d9fc

SHA1
0afce983a34223a4b88c8d4f51396ae5094fcff8

SHA256
b147c61c51d961344bb416dee3caca1d8090690246291004e54ecd8fe7c94b7e

SHA512
0bd2b73aca7293197edf42344bc129a29ae56d75667bd5a46e8386a5974f23057f72c064b48784caf1faf3410a74e7f9a0b70288485457ada618282c00a7a154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f27b6278c86f62c4b9dec3a36c52ec2

SHA1
67ff89272f638d2175e4e05e7591a0ff6b30649c

SHA256
d6b5cfd6f5c5496439a86b1d655cf4d3effb6ed9b3f9fc02f6b3959d1e5ee5a9

SHA512
265d4311f42fcf1e3944a389ce3a3530046e1df3f652299fd5bd7d3e5253cc189bf8a2e30ebfd0916ff6007cbecc4474291a9d8d6af1b209c48db3566d08ffea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ff01c6188dd6fe2c0a5de5b1c9cc31e5

SHA1
7d2534544d6237b45159bdc9c01dc53f6637d7a6

SHA256
7c1df477380b0ffce0a1c9d9f3ff0f917827f273a4ece91c580985803d7cab42

SHA512
345d939e509021c90522ea319108598455527bbb61b73cca13233d4741aa17d9f3a27d141f75e9b177b7b0300d5b8f01bcfc281db45f4aa9b9a250b1cb028b56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6b635923d1b7a0d0168d524faa5e9169

SHA1
56ce13d580a08565ccbec3bb56c20e0d45866058

SHA256
f918c138795d856218c75c2fd339c7c5ff633905ba71ea6c4d565026b01227c4

SHA512
adb7b00e5633390aa849f092f9db577b5bd433c615193e6a8fb9bb07df96e07d767b45169b7b00b17eef0bc2c57d14b8a576b2784d5d8eb04855852d9cf8061a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea48b0568a6a844b480dd96b71a40f79

SHA1
0fcbadb01ae418b2aa56ab19e590bd17bc51329e

SHA256
f19de01984e6730a196650f729bc39fc5459ae7d670543fb69433cbb368111ec

SHA512
4e55eb1a87dbd9152cf1f8d2718385c09d12da1c63829f5b3301aca65958178d1b475c4ec171a055fc60c65f67e0ec790039016e4841c32064642cfb03df8780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0f5935e80c6c6989e51d68f9ef199d71

SHA1
e015bb58882855b53be24756eef394637d7f78c0

SHA256
265572377ab75025ca67b10a2298c6ed6ddea578d6af9ebeb14e633b96fb6dc4

SHA512
3f853e1d16e1492b68fa6ed0558272c5b10b1753f3a0d99a103e5286af9dba1c831fae1a639c3a65737b0c460b110171cbd26c515713f1d6d838a89c44611f90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f92bcc906c3ac4cdbd4e5fe138e1cf79

SHA1
9826f0b7b75a58762902039900a7577d2e41f597

SHA256
e34a2e870bbe7589209fbb7801e0ceb596712ac8dd8710a4826b421578719e70

SHA512
6574fb27725103d8e406cefb37f2887255165d10f4641409318f495667277cd8311a2cdd41ebe948d0217f15c0319b5993648b90eef4c3e8057df0ea478e80be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
d7a871ce2928598561c96fa6cf2df9fc

SHA1
9f5a15d94f79d5972a4e330741624734f3e76b2e

SHA256
c5a66ae1531d8ee42c9ba85fff36076e5a26ada727b85fafedcfc2f62c6b8a08

SHA512
fccacb0e4fcadbe22fae3c1a54722986703d94e7c38fd7427808010e1d1d20588e802b4d91279e645655f15bcdb250112fff5529e56d7cdebc91a42c4b577e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
518edad1f619055493ca932615c93b3a

SHA1
a6f1e8bda703ce6d627384756ee0d12f7c54f846

SHA256
5064671072e3cc1cda5e02b0b257911a99431d99a6230d8d601615cb779ba481

SHA512
21502a0ba2e1cb29e78a4af3da8ad9f97640e1934481031cb0ec1a12da50d3d860f0d44b8f4a44355c649d035b41843f4ae206f452175e17398026cebafd9492

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\CLWCP.exe

Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\Corona.exe

Filesize
519KB

MD5
6374ca8ad59246dfed4794fd788d6560

SHA1
d54281430ad11272f657de4e909b4ba7b8561821

SHA256
25b6f4abc0b8a7a3f3cae54a2f75810b977c0f5ed20af98e77be9449e7135108

SHA512
0434f5c6ecd1a036a59e2f5de56f0905460d46c31fff6a7f160f54cfbcb56ea2da22647d564e53d66c47a789a67d165c59e64d924b0f2cf80fdcd865847a772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\Covid21.bat

Filesize
1KB

MD5
6b89a7fd6e3d9bdc4658162aaf468558

SHA1
f8ef11b2420b95661565b799d86c188bf11bf4a7

SHA256
76986cddbfeb8fa8738c8ca2665a7f91d19d1e8c6851151fcba5164e35618dfb

SHA512
f9b3338b65d5ca6cc25b1c36b2c3299d758d5e7ac92e6fd8d0298f945e898c51e548323f86a12983bb375e49404cb6b401f5472bbb580a6675df57277045ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\PayloadMBR.exe

Filesize
101KB

MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\coronaloop.bat

Filesize
48B

MD5
08437e731c7b135b3779b004c7863e5f

SHA1
24ce5d4075fdc5afec6cb87cacfc7b54deadc3ec

SHA256
043b49fbbe070997844a2c4467596553261bfb6ea79ac3c50fabd42146eea924

SHA512
6006014b10f400b6975b391be64e07e78fe5a3818cd39a0a8f9349c4cff595134fb5217beb5205e04eab86473c4fa0f6701b657d76c144540aa468d2d382c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\covid.jpg

Filesize
166KB

MD5
94ad752abc09644d0b91a07022ecb000

SHA1
7ee97dc56e62e7b2d86ee892e7cf70673252242f

SHA256
e3760c671cec108580d47b0f8c11ae79e9df9941d2e878032eeda1b510f91231

SHA512
9c0109a8e7de5ea42b3ce8788a412f6ed1158afd3db87884034631da15ec4c16275f0578c6ad438e91dc203c89aef725d2642e06b751df5cff0d47b3d9a1ad1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\icons.exe

Filesize
105KB

MD5
3ca1d5768c2944d4284b1541653823c7

SHA1
85cf021ac23cd1340c6d649e6a77a213c1f848b6

SHA256
4172c6120f8f98685698365d6dd52c80eb2080203cdde479009bf8f4fa770af0

SHA512
7972adb329dbebc347b8a68789bbac4ba7c230cc980910d18a322d1a512015633d2a5801e76c0aae2fcfe120790c69417864549787dfc37574fb0aa3bfc202f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\inv.exe

Filesize
359KB

MD5
ebb811d0396c06a70fe74d9b23679446

SHA1
e375f124a8284479dd052161a07f57de28397638

SHA256
28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89

SHA512
1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\mlt.exe

Filesize
130KB

MD5
a4e26d32f9655dbe8efd276a530eb02b

SHA1
d194526518fddd34bfc75cc0575d9b5cf3e1e304

SHA256
4c2277c81cbf6c415ab874cfb32d3b0049c8b18ac7eee1dd6c1f5d9f5f043c83

SHA512
e77c58b321a1c696554b018cc51fad2f2df4bac39fa90f17a83ec646c90d67b6da5fccb2e80c468e2cf32cc7f9f3f62b160c3f0afbc2130faa1002ecde5b5676

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\prompt.vbs

Filesize
188B

MD5
82c0a5e92259ff193b914e6c0d7c8a7a

SHA1
ed6868eff7055555689e613a62f4275eafa97c36

SHA256
02e3663bb7bc9f8fe4377887dc24e63fc83187be9cb0181f87e5f93af4c7ca8b

SHA512
43c1ef453531200dd625945a65727daef28ee480fb210e97846633841f8215261e3195a8be77c280e8b6fe193b59c7367302c3fc74879b5952fa31f3235ddb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\t.vbs

Filesize
60B

MD5
ee0306a79aaefbd4cf3bc7e5f8a0d3b1

SHA1
32dae2cfb0af831f0e8445f36c0d2ce0fe9b2e88

SHA256
969ae83f1366975bece266c3be5994291c55302e93564a1435fe542b456904ec

SHA512
fdfab128f4f096f4b4dd31758116522337644f269cb28e1496e20d866083bf31d277a123704e8924a0fc4ef0212cba89e3ab9fddcaffcf400c859c8df87736fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\x.vbs

Filesize
79B

MD5
7740551865a57633b3e92986352dfa1b

SHA1
74070b3636b69b710c32996fc1640129202f4caf

SHA256
8a36ecc37eb454fe13b4b31eb9eda67919aa5dd3a474480930982ef93334499a

SHA512
b4c5902f3ca91fa83ec0297254acf5f63b2145500863afb86f96b9c2d3844c8c476cd0f6dd31e3eb92c4aca2cd35c2f6be563549817b676fa9b4592f280c79f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\y.vbs

Filesize
24B

MD5
5ecb02eaaa322be4df7f61a1a23c799d

SHA1
bec83a2546f38a7133ef962d09cd520f87e5abb2

SHA256
d78710d080d6200bff04d443f8fa923f619914fb191dc2b3865da1f3d9739e30

SHA512
2306f4fc08e0aefe4a44c4507e46ee2d3d808423ec8d31980980f785e20c0df301a9b3d9a2469d609e054d5a8ac4089ac39ffb388b70ed8a36f688b4362a2f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\967E.tmp\z.exe

Filesize
412KB

MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
C:\Users\Admin\Downloads\Covid21 2.0.exe

Filesize
1.2MB

MD5
a7c7f5e792809db8653a75c958f82bc4

SHA1
7ebe75db24af98efdcfebd970e7eea4b029f9f81

SHA256
02fea9970500d498e602b22cea68ade9869aca40a5cdc79cf1798644ba2057ca

SHA512
feb42cc7b4f344c043bda8bebeefa8cbb68406d1e937dcdc5a403981f79587fa438c682c4744a47a77482fc049b0334806d468aeb67edd4a92d90b5acd0c16ae

Download Submit
memory/1020-426-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2084-319-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2304-414-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-403-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2728-396-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3180-405-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3440-374-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3440-412-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3440-392-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3440-427-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3820-406-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4116-290-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/4116-411-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/4116-238-0x0000000000400000-0x00000000006CF000-memory.dmp

Filesize
2.8MB

Download
memory/4336-425-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4696-393-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4736-394-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4736-369-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download