Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 18:53

General

  • Target

    malwaredatabase-old

  • Size

    441KB

  • MD5

    63b9c72200ba43bfae902362f6652cb8

  • SHA1

    4c4c4982a2e0299a1ba1db630b265edbafb16fe4

  • SHA256

    dbeb5a687c98f1c5d099c5a8e508472372d1cc9efe353c69eb762aa1b08fb729

  • SHA512

    cc9d29aac31df9d921fb1cabc2a3def00ec4fd9aa0802bb3be166edf34db20e2f51353a104128a2ea69693de9d7e65c8922711aeaa84f23883404c9a4ccf9205

  • SSDEEP

    12288:YNRnpOL/saqkPV9VHmLqgIDSsqIP9uvZJT3CqQrhryf65NRPaCieMjdvCJv1Vi0L:YNGsy

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\malwaredatabase-old
    1⤵
      PID:1664
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d6f3dcf8,0x7ff9d6f3dd04,0x7ff9d6f3dd10
        2⤵
          PID:2212
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1992,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1988 /prefetch:2
          2⤵
            PID:4740
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2244,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2248 /prefetch:3
            2⤵
              PID:4632
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2368 /prefetch:8
              2⤵
                PID:4908
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
                2⤵
                  PID:3672
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3240 /prefetch:1
                  2⤵
                    PID:1636
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4460 /prefetch:2
                    2⤵
                      PID:5212
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4720,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4752 /prefetch:1
                      2⤵
                        PID:1168
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4424,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3940 /prefetch:8
                        2⤵
                          PID:452
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4912,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4896 /prefetch:8
                          2⤵
                            PID:3744
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5352 /prefetch:8
                            2⤵
                              PID:5560
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5560 /prefetch:8
                              2⤵
                                PID:1532
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5388,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5492 /prefetch:1
                                2⤵
                                  PID:4444
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5776,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5800 /prefetch:1
                                  2⤵
                                    PID:5632
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6060,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=208 /prefetch:8
                                    2⤵
                                      PID:3428
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6068,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5916 /prefetch:8
                                      2⤵
                                        PID:4240
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6076,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5960 /prefetch:8
                                        2⤵
                                          PID:540
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4564,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=208 /prefetch:8
                                          2⤵
                                            PID:3280
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3616,i,280037323176336749,58787316200534293,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1132 /prefetch:8
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:744
                                        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                          1⤵
                                            PID:5740
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                            1⤵
                                              PID:5772
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:1044
                                              • C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe
                                                "C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"
                                                1⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2940
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\TrojanRansomCovid29.bat" "
                                                  2⤵
                                                  • Checks computer location settings
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:4944
                                                  • C:\Windows\SysWOW64\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\fakeerror.vbs"
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3408
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping localhost -n 2
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                    • Runs ping.exe
                                                    PID:3484
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:3548
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:2856
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:1072
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:2524
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:1168
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                    3⤵
                                                    • UAC bypass
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:2080
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                    3⤵
                                                    • UAC bypass
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry key
                                                    PID:3644
                                                  • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\mbr.exe
                                                    mbr.exe
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Writes to the Master Boot Record (MBR)
                                                    • System Location Discovery: System Language Discovery
                                                    PID:8
                                                  • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\Cov29Cry.exe
                                                    Cov29Cry.exe
                                                    3⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:932
                                                    • C:\Users\Admin\AppData\Roaming\svchost.exe
                                                      "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                                      4⤵
                                                      • Checks computer location settings
                                                      • Drops startup file
                                                      • Executes dropped EXE
                                                      • Drops desktop.ini file(s)
                                                      • Sets desktop wallpaper using registry
                                                      • Modifies registry class
                                                      • Suspicious behavior: AddClipboardFormatListener
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5432
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                                        5⤵
                                                          PID:1980
                                                          • C:\Windows\system32\vssadmin.exe
                                                            vssadmin delete shadows /all /quiet
                                                            6⤵
                                                            • Interacts with shadow copies
                                                            PID:1060
                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                            wmic shadowcopy delete
                                                            6⤵
                                                              PID:3272
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                                            5⤵
                                                              PID:2956
                                                              • C:\Windows\system32\bcdedit.exe
                                                                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                6⤵
                                                                • Modifies boot configuration data using bcdedit
                                                                PID:4880
                                                              • C:\Windows\system32\bcdedit.exe
                                                                bcdedit /set {default} recoveryenabled no
                                                                6⤵
                                                                • Modifies boot configuration data using bcdedit
                                                                PID:3164
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                              5⤵
                                                                PID:4472
                                                                • C:\Windows\system32\wbadmin.exe
                                                                  wbadmin delete catalog -quiet
                                                                  6⤵
                                                                  • Deletes backup catalog
                                                                  PID:4656
                                                              • C:\Windows\system32\NOTEPAD.EXE
                                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
                                                                5⤵
                                                                • Suspicious use of FindShellTrayWindow
                                                                PID:1964
                                                          • C:\Windows\SysWOW64\shutdown.exe
                                                            shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5464
                                                          • C:\Windows\SysWOW64\PING.EXE
                                                            ping localhost -n 9
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            • System Network Configuration Discovery: Internet Connection Discovery
                                                            • Runs ping.exe
                                                            PID:3628
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /f /im explorer.exe
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            • Kills process with taskkill
                                                            PID:5448
                                                          • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\Cov29LockScreen.exe
                                                            Cov29LockScreen.exe
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:936
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                          PID:4476
                                                        • C:\Windows\system32\wbengine.exe
                                                          "C:\Windows\system32\wbengine.exe"
                                                          1⤵
                                                            PID:1988
                                                          • C:\Windows\System32\vdsldr.exe
                                                            C:\Windows\System32\vdsldr.exe -Embedding
                                                            1⤵
                                                              PID:1164
                                                            • C:\Windows\System32\vds.exe
                                                              C:\Windows\System32\vds.exe
                                                              1⤵
                                                              • Checks SCSI registry key(s)
                                                              PID:4728

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                              Filesize

                                                              414B

                                                              MD5

                                                              5eb76109bdcfdc0934f189e3f7aa6dd6

                                                              SHA1

                                                              63543e103aaa61eab674fbd9bcb3a5cca57bae01

                                                              SHA256

                                                              481ae0add1926dae2433c344738e03fb6043435a2337b0e2eaee9dfaa015af9c

                                                              SHA512

                                                              946365ba4c4512cc528d2327ec5d90c3c80dc6521a9562cb1d7f9715ef0988ff965e9061fd6eb6a5ee74389385fe36910008f40f1e3f053537ffcc76b475fb95

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              7426743951a016acc16728bc11497c4c

                                                              SHA1

                                                              3d666b7ab5c471660587d48615347138efcdf05c

                                                              SHA256

                                                              fbfacfbff1261d087a9e980e3efb2dced3d911daaf259d55c3ad075eba50d979

                                                              SHA512

                                                              0bf6dc0f09f64ebb19423a4e0dd499252860e2ee71ed3fca9035974511b4f6563df70d1acd1b6c056e3dc497ac18ed66d611ca2ec21220579fee96ee1337c33c

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                              Filesize

                                                              3KB

                                                              MD5

                                                              e2a4c2ea550b614d5e3ee34148e0435b

                                                              SHA1

                                                              42884136a841ed8639e3bcda9566b979229a0d12

                                                              SHA256

                                                              6dad3b64c948e4a02a5b73b4c422c6b59228d18237931f746662d9d796eaa90d

                                                              SHA512

                                                              be6993590a23a46f8481b4447d326fb92888666391ceeb44efe5931b8a56531df29d189a51740eec996bfcab5366daa304fad248407fa5457ced8a187983cbf9

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                              Filesize

                                                              3KB

                                                              MD5

                                                              39d5a64ac0e6d0a27cbb2e046d8602dd

                                                              SHA1

                                                              d13df59652e46d08235551c4763b257b9efa83d0

                                                              SHA256

                                                              804d048da151b9041aeaa386b85e3fce8b17f853db654582d93da2486dab445e

                                                              SHA512

                                                              3634c85825457a815a8770733f28b6b06ca08abe0fd07335e78c7ef2b94dae828c4e906053779966a35f95dd9dd11aa0a2b08416ead9acf7fef8c6ddb79d1537

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                              Filesize

                                                              2B

                                                              MD5

                                                              d751713988987e9331980363e24189ce

                                                              SHA1

                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                              SHA256

                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                              SHA512

                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              e95d86f8f15e7646bcbf3bb8feeb0c67

                                                              SHA1

                                                              def6d6d800d2a7702eeb4ce3b31f99dcad8aa20e

                                                              SHA256

                                                              8457f55cc4b9572b7c1846a0a879c4ee4ae3711e620e18c8629bc6790faa3a3b

                                                              SHA512

                                                              d322dd08640601746dca3605d4a2d7563a8ea0b8a004b7af56514add1327071dd0e1ca13c9c0101dc9999009bdf65467274d16ad768a13d85c4675e0dc450af8

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              39fd8b22eea63858c8467df264d5e01f

                                                              SHA1

                                                              e825caa7b1e3ed8c3d53140d0ca58a5b9b778e7a

                                                              SHA256

                                                              4891347e9c0431b9066b2e895a4625a535a0107b114fa8eb7a508505abcc51fe

                                                              SHA512

                                                              4bf4d15588da32c86000ebc3dcf4a706da33c13e2ccd45b3af2c4c779e8b40371b666288599a9bd5d562e1f81533ae9aa7c19023235fcbd861c7712840613e04

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              bdd8a235beb5dacfba3501708f8a69e4

                                                              SHA1

                                                              6c8b0ed5c33ddb200ad846b2421cf35acc9aa6cd

                                                              SHA256

                                                              a77a0e662fd558f52710642226fe043fa1d5bf9444bef8e3f4407eaad8f396cd

                                                              SHA512

                                                              8ac65f9e7c8c644a65b85aded260b6c7312d86088b67df33b788371bd07bdbd1078c9560e8daa52eb257671f13a14fb2b03f117fc0f7afedabfc2a1ace1673da

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              70964193a5cd669ad650d49da87fa03d

                                                              SHA1

                                                              a72d80e9abd4228be5e64ea3da93aa55ea592d44

                                                              SHA256

                                                              b0d4f4b685ad3876154f30764ab01d9129e64307296d8fb3edfeaba5d6de1f81

                                                              SHA512

                                                              ae629785c8b708e9f7f0001fb637e8dadec722f462bf1a32c201af5cc9475d1f82acf73d574bba8cc7c61c0df70fdbd067e58c6d0472afbeb05b13e7091f9b50

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              6db3f7a3805ef83d33642146eefb798f

                                                              SHA1

                                                              ae82f0852a59057a641ec10fd41f20fa27ac265c

                                                              SHA256

                                                              e12348cf715362deee9dec1d1de9e9e20a691926be0254458bae22e889fdc9b8

                                                              SHA512

                                                              41ba9939d15e61780914cf75372a3ea8560c36ef417bfc273bb44ad15433bd4e1c07caea9bfc5cc686c41f94a31714b7849b5ddfc98d7693193054e1fdef6f0a

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              a85dccfaa9e7d724696d775c34e08109

                                                              SHA1

                                                              23ae408d76f5953b0d9df425e6f558d348a76d66

                                                              SHA256

                                                              1f5ea8c4a260e95ca792d8649c18bda04fbed7c64dfc50690776da16a3a601cb

                                                              SHA512

                                                              b7d7753f7ea8bb7718c97c1483eb4d517e8a981bbc9ec9fac224352ae32011dbb291163d6a131c9ae624c6da0bbf60b18af732184a7512477f907425c170efea

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              ab6cce33fd6723b02d380e0f0ec5a7a8

                                                              SHA1

                                                              92002fe9c549db53fd5a8e7e878f447efc4613ef

                                                              SHA256

                                                              7b7a4e72990a182a670166977743dd08707e2886eb7ac131f88aed8d9fb21012

                                                              SHA512

                                                              f52005e58b97ece9e1710c5110db2841bb8967fbc503011e398653f2abfd26c83631a6a4b6761e47deca1591c34b1cb46f2c2eb511e213299dcd9be2c23ef5fc

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              c00eb0660bb4d82ca3e364b8c77341b8

                                                              SHA1

                                                              eab1cb3315176a77f44881275ee8c056d851719f

                                                              SHA256

                                                              6be3d75cbf296033bb5413128a84fa0bfd71bfd18305ba900749c112ae91ee97

                                                              SHA512

                                                              fe7186713d5087e62dc5636bc035d484379693d756dd563fc1b1345e9d32c36d4abca771ae2ee78af6d8d2810e273cdff9b6f66848488e4d5681e0290dd7d0ad

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                              Filesize

                                                              15KB

                                                              MD5

                                                              315e5bc539c051cf66b46bceec173201

                                                              SHA1

                                                              97a11d4aeecc03ee6fa5eafd3698b95ab59ab873

                                                              SHA256

                                                              a31cf3e78ab2f5c676396d61e76057b61f906630b779e05959fc8885a6620954

                                                              SHA512

                                                              28b1bceaa98a444893716cfd570ba6cde27b1041ce25e2ae6e6b57102a10bc9be452cbc5e8aaf45520a460b6e9fbf0e2654ba612c3670df1e913e91fa91c8755

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                              Filesize

                                                              72B

                                                              MD5

                                                              f3d6c233aa83d4279eaf8328e1c8f5f5

                                                              SHA1

                                                              0622707412feb389528be06ba0a12721432fa886

                                                              SHA256

                                                              6703014e3c4473344528e469afb2b743930b743b9b03af22df23990148ee5a43

                                                              SHA512

                                                              87051b5d3f462c4fbb696ab018b89424fa5c12c4fe8b16600da668dd88220d070dda21b115f4e87d7930fc19bb5e3605d8eda4d81ae7e219a707110dc1c7cdb1

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57aa1b.TMP

                                                              Filesize

                                                              48B

                                                              MD5

                                                              8eafc712b82bdefad5f3df90c56c4261

                                                              SHA1

                                                              449e4a6eca9a7bcfdd42ba381fa1a114dee9b291

                                                              SHA256

                                                              c8ea08dace6d92ab2770025cc7c6d61801b579436264789fdcdf56a9e73bfae7

                                                              SHA512

                                                              1658c26c63b8a4ca013da47c955045b23bc9a45ba1486b8c9944f4822ae176b8f9cd1d892d66b6c569f87ef28a3afd1cdf3b4a489ff824a9ec6e749485ac2628

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              155KB

                                                              MD5

                                                              4449ac68e9ca10b7162ac89685834717

                                                              SHA1

                                                              eff216e7509fba03851434426eaa33fa38ae6680

                                                              SHA256

                                                              9a588414c69f9e6937c65e6f6d20322c30e6160f3f17d3a95f6fdd58032622d8

                                                              SHA512

                                                              0b72fda271e0c29eea99c93f19a47eda32bc545742e34df70ec67458393ba0534325a979e5b3f66b6cfb6138af5c17dfdeac6b88b869fd060d88b137d648a865

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              155KB

                                                              MD5

                                                              ec2a0d0ee0cba3edf0d6be7abc6e9135

                                                              SHA1

                                                              186d4e487e90796dfdb5c009ed283a0892a1115a

                                                              SHA256

                                                              48d432d2e42ad8303ec51bc36f18ee900cff19243a5e8eaa1516b0017ea8f59e

                                                              SHA512

                                                              2cd4797a2195c1df5040301592967f957e443c6b66aeb2ae081ed12430aad5d88dd7b7cd900fd0b51b0cf48bf106e1dae6c9e99dc3665ac877b89a6fb1549b9f

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              80KB

                                                              MD5

                                                              7655488b2145ad9fba0205919d041879

                                                              SHA1

                                                              002f76cebb64bbcd19270013970f71825ab8fc62

                                                              SHA256

                                                              194a18b5320bd350b46f3a7c57adb30a64150b5f57573596b5150e5df9492056

                                                              SHA512

                                                              f105fb51cb980256e2aca85f5675f7d40770e7861266db1b97e77b0332729485f3ef86af0e422183fa01bea73d3f989fb96b0fd79be7c5e02607a0c8a5596306

                                                            • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\Cov29Cry.exe.death

                                                              Filesize

                                                              103KB

                                                              MD5

                                                              8bcd083e16af6c15e14520d5a0bd7e6a

                                                              SHA1

                                                              c4d2f35d1fdb295db887f31bbc9237ac9263d782

                                                              SHA256

                                                              b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

                                                              SHA512

                                                              35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

                                                            • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\Cov29LockScreen.exe

                                                              Filesize

                                                              48KB

                                                              MD5

                                                              f724c6da46dc54e6737db821f9b62d77

                                                              SHA1

                                                              e35d5587326c61f4d7abd75f2f0fc1251b961977

                                                              SHA256

                                                              6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

                                                              SHA512

                                                              6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

                                                            • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\TrojanRansomCovid29.bat

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              57f0432c8e31d4ff4da7962db27ef4e8

                                                              SHA1

                                                              d5023b3123c0b7fae683588ac0480cd2731a0c5e

                                                              SHA256

                                                              b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

                                                              SHA512

                                                              bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

                                                            • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\fakeerror.vbs

                                                              Filesize

                                                              144B

                                                              MD5

                                                              c0437fe3a53e181c5e904f2d13431718

                                                              SHA1

                                                              44f9547e7259a7fb4fe718e42e499371aa188ab6

                                                              SHA256

                                                              f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

                                                              SHA512

                                                              a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

                                                            • C:\Users\Admin\AppData\Local\Temp\BD7F.tmp\mbr.exe.danger

                                                              Filesize

                                                              1.3MB

                                                              MD5

                                                              35af6068d91ba1cc6ce21b461f242f94

                                                              SHA1

                                                              cb054789ff03aa1617a6f5741ad53e4598184ffa

                                                              SHA256

                                                              9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

                                                              SHA512

                                                              136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

                                                            • C:\Users\Admin\Desktop\covid29-is-here.txt

                                                              Filesize

                                                              861B

                                                              MD5

                                                              c53dee51c26d1d759667c25918d3ed10

                                                              SHA1

                                                              da194c2de15b232811ba9d43a46194d9729507f0

                                                              SHA256

                                                              dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

                                                              SHA512

                                                              da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

                                                            • C:\Users\Admin\Downloads\Covid29 Ransomware.zip

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              272d3e458250acd2ea839eb24b427ce5

                                                              SHA1

                                                              fae7194da5c969f2d8220ed9250aa1de7bf56609

                                                              SHA256

                                                              bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

                                                              SHA512

                                                              d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

                                                            • memory/8-649-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                              Filesize

                                                              864KB

                                                            • memory/932-648-0x0000000000E60000-0x0000000000E80000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/2940-616-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2940-728-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/2940-732-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                              Filesize

                                                              1.8MB