Resubmissions
25/03/2025, 17:08
250325-vnlkpay1fz 825/03/2025, 17:05
250325-vlwymsy1dz 1025/03/2025, 16:31
250325-t1vtfsyxdy 825/03/2025, 16:22
250325-tvgpmssns7 1025/03/2025, 16:13
250325-tpecbsyway 10Analysis
-
max time kernel
452s -
max time network
452s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/03/2025, 16:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/pankoza2-pl/malwaredatabase-old
Resource
win11-20250314-en
General
-
Target
https://github.com/pankoza2-pl/malwaredatabase-old
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/files/0x001900000002b36c-591.dat family_chaos behavioral1/memory/548-599-0x0000000000F00000-0x0000000000F20000-memory.dmp family_chaos behavioral1/memory/2124-756-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral1/memory/2124-761-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
Chaos family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3116 bcdedit.exe 404 bcdedit.exe -
pid Process 2112 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4824 mbr.exe 548 Cov29Cry.exe 904 svchost.exe 3996 Cov29LockScreen.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3920535620-1286624088-2946613906-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 28 raw.githubusercontent.com 24 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kiws3nfcl.jpg" svchost.exe -
resource yara_rule behavioral1/memory/2124-565-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/2124-756-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/2124-761-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cov29LockScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanRansomCovid29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5116 PING.EXE 4884 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6140 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5876 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a72db18aa19ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873928441726607" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072cbae8aa19ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\hhctrl.ocx,-452 = "Compiled HTML Help file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PNG\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PNG SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050be1f8aa19ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceed128ba19ddb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104" chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children chrome.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings svchost.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 3704 reg.exe 6052 reg.exe 5668 reg.exe 1900 reg.exe 5612 reg.exe 5660 reg.exe 3824 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Covid29 Ransomware (1).zip:Zone.Identifier chrome.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4884 PING.EXE 5116 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 904 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5460 chrome.exe 5460 chrome.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe 548 Cov29Cry.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe Token: SeShutdownPrivilege 5604 chrome.exe Token: SeCreatePagefilePrivilege 5604 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 5604 chrome.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe 2248 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4716 PickerHost.exe 3996 Cov29LockScreen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5604 wrote to memory of 5872 5604 chrome.exe 82 PID 5604 wrote to memory of 5872 5604 chrome.exe 82 PID 5604 wrote to memory of 5008 5604 chrome.exe 83 PID 5604 wrote to memory of 5008 5604 chrome.exe 83 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 4760 5604 chrome.exe 84 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 PID 5604 wrote to memory of 5096 5604 chrome.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa37cdcf8,0x7fffa37cdd04,0x7fffa37cdd102⤵PID:5872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1980,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2064 /prefetch:112⤵PID:5008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2032,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2512 /prefetch:132⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4172,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4188 /prefetch:92⤵PID:5372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5532,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5548 /prefetch:142⤵PID:492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4440 /prefetch:142⤵PID:3080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5580,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4860 /prefetch:142⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5620,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4828 /prefetch:142⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4144,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4976 /prefetch:142⤵
- NTFS ADS
PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4944 /prefetch:142⤵
- NTFS ADS
PID:6024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=744,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4300 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
PID:5460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4880,i,16895877878937967591,6506949616244512475,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4956 /prefetch:142⤵PID:5216
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:5880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2004
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5800
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Covid29 Ransomware\readme.txt1⤵PID:6004
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
PID:3644 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2992
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2784 1120 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:768
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2856 2852 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
PID:972
-
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵PID:5032
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵PID:4776
-
C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9310.tmp\TrojanRansomCovid29.bat" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9310.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:1188
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6052
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5668
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1900
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5612
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5660
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3824
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3704
-
-
C:\Users\Admin\AppData\Local\Temp\9310.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\9310.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:548 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:5764
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:6140
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵PID:4004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:2476
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:3116
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:868
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:2112
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵PID:4688
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5876
-
-
C:\Users\Admin\AppData\Local\Temp\9310.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4716
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4452
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3896
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2484
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5932
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
4Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\272f1003-2834-45a5-a0ae-09ad1cc85370.tmp
Filesize11KB
MD57ba0cd730ade2bce6b201cc1cc156277
SHA14cd64999335cee7121e976afe8cf64dd366c4e04
SHA256b8816d4d9c40ca3d8f884cefa4430dd9050c1bd1879c59fcf0ebfaf4c8fa83a3
SHA512479e35fd1652ce6db0912284c713c9e1a51151e3b2b0fc2f2bb5d9488b812c25fb0ce4b2f9fbca8482116c3dac182e3aa8ddd22c9c66d5b16162f7cbd41f13d5
-
Filesize
649B
MD5370a109ee219f5ac7900898c10af5006
SHA19138e73f2a257a712c5f201be7316e06e375dc19
SHA25618c0e8697d7f241eb2de9470b5c4b43657990cb4eeba31300937c123f5d4770e
SHA5128e94924f83d12bdb6367e482610fd28bb8cf01cd205a923ad04a82f2ba00026e0713c2c4371048c926735eca9074ce0201d3e21780d3de2459053572c64c46e2
-
Filesize
2KB
MD55eeeb9fd643ac5ae5f6424340e743dd5
SHA1aa26307c5490bbb3b0032e58c47e3fa82917bce9
SHA25695e4f840cd830efc3d5cebf33b651e352eae19ce0c70927c6a2838b19e3da686
SHA512052d11f6897f365561ff0a764f1b3961ced583aaff1b7238a3674e00dfa3606488df846328558abd01587847f545721301cd87ab0ed1204d3cadf13f64f4b683
-
Filesize
3KB
MD52afa8a44d4736263f5659fc39f103edb
SHA174e4b98dcfaa21dd7b7b21af1562a05f83c8a58c
SHA256db8bee712f8a79bff311d4873cff3ce36dbf5387528b4f23335d8877f735e058
SHA51281fd1f60ceec566f8a2c8c8bdfcb05cb3a0a65df026db2ae0649fe562d65984d8596ab91301917690e713f486c1d396ba7d03276269d20778051d41e43925cce
-
Filesize
3KB
MD527970e8ff9991036c40e8059d80133d2
SHA195cceed3fbc1205b071e913343444ad3d94e42ef
SHA256eed8a02fa3e6b12dca53472795b0ca574fb2473e905ec245ac794728d3c20942
SHA5124e22dcd878f39b655fd96c25aaa74ee377c79b08dd5be1a6ca9d0297734c7429e0544a642bd76484f298f9f0ba32187a490c45fc88c4593d44f88e02bd713d16
-
Filesize
3KB
MD5ed7e9b441735893f7958f9001c368634
SHA12c23b43cd39552cffe9932a0de93852ba89d7be3
SHA256b6f72f1676d539c9326eeffd4bcb4caccf71d47d54b501f3448df21488830872
SHA512512872cc2214346d38e41640356ef073d1cb28d1507dfba4757d6e57fcbafdd322a153f19e05b27581035d2a9625b3a6bad628854a80d24da141809ec9611cb6
-
Filesize
2KB
MD5fb76cc1fb2d83410d0cc8b97a90de278
SHA172a3fd2a795d04ef7bce031a3caf70f5fd37ea47
SHA2564ca4802cd1a4736d9917dfe5b52534f1528286c1a22e0cf02d3db8c19585b714
SHA512a3f99417191f593a2883e460f4e4898de638c62b7f5581502e5d4a429ec9863e58fef18b7bbb174dae46f23a0c583d78bf4aa26c3ec7d263d18b5163a180da5f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5d779a63556d0bdb3453bf4d6578996bb
SHA1383a21aeb12fa689bdd7ccef28ec54b51c63af44
SHA2565a4785fb14e492434eecc3a3978064439826968ca69b2022ac62890c4a5f6baa
SHA51250a4972c9c7f554e5428f7a2f8318057aa9b607fb75bb624532ba8498fd67023715326bf534c0dfc84d20f0cbc0f6b4eaf90f77d927268af16c3be288af50ad8
-
Filesize
11KB
MD544ea110ef18084cdc2f3a5c675f9fea8
SHA10566ce2d6416add164fe8f3b0b181a7a70df172e
SHA25615baa87291af50f2729a4dddcd40ef0f18f0215008b36ca282f57287725b5997
SHA51232488bc212031a53a98dc0f6c4e2b61d3035abcff066a08b8f94c146889ce357595ff8dfc017253cc770483598ddec04a7dc4bae1db91d7ad9d3ebb54c0af0d3
-
Filesize
11KB
MD5978f88139e768945715f39788f9086b2
SHA1ad61d24bf6bdc4791e25527ec56e4da6182cce82
SHA2561f556f1865097da60965e9d54df95252446953abb87d592033b2dd5224b5c323
SHA5126682793cc08801273fec136e28917ca1981f8577d9bcc7be8c0ca5c2f1f625c684fbec1126f92e79abe18bc3bbf992593520c5b3af26a9cdb5536c84b304d080
-
Filesize
11KB
MD523af1b1eb7e8f51731fc297c20fb7139
SHA1d08a41da6b7d0d74d25a8163049901a726ceca66
SHA256ff3e8963c606e4dc0a06910a4e84b211b7003f5b2de5510ff99c76cefe7ba9cb
SHA5120d880c17ddabcd13fb9481668146aed39c0c3637aef02dd52b8f928549b65bef2b28e8c90db8c08fbdaede4c015637ec4aabec9afc3c40f7811d9fc5f9515fd6
-
Filesize
11KB
MD526ad241b601ccadeec929f438779605a
SHA1f5d1f179e09455b482147f1cc4ce2452f6d89e0d
SHA256cbcc372117538c08c21da28fcf65f19a7bae15d3bcc0a5ba78ed8222980cfda4
SHA512ccbac7ff96c1147d4e93ca29a46ffdeea3d77d7657e2b71217de5381d84add6041f9c95d534646b1641a1dffc0d5fcb713ea069b30ecdca76c773a2808dc6e14
-
Filesize
11KB
MD590a838a5b2e1ab7e59a2574800e114fa
SHA12a75a2ebd3c63773e6a0986644d0e9c6124d7155
SHA256ac8e8d6a207a6513c8a4a3cced3cc9f955a6b9ec8f60d55a6c5a447266ff6f25
SHA512e79ceaa478a841adc29e3a3f3ac250f1b29f5050a990197a49ad335ace027eba40d8bad03943296842159e10261089228f496d17026f8244abc1ed10b07a6926
-
Filesize
15KB
MD50c4ee74392bcb9c2651fb89da5d6ea38
SHA13b0c059f0763113bc1f02ff5dcbc7ab421b9bb30
SHA256271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869
SHA5120c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD568a4cc885c00279bc3053d0293aedae7
SHA1f684dfe6bafccdde90911f4eda4968097138a677
SHA256eb6b11c200160b4cb696617b7aa2c78dc0f61230d3516a46bf0c235ca124e1d3
SHA512122fd55de6d76d61212afe0b2079a38f16a1dbf3d1ae4875de19f319b764c18ac2efad672aa9bd3dc7194cbdc16bf56f1166a581b8374364714bda33fbd30507
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ee19.TMP
Filesize48B
MD5c5d7139e79b0d8a5a2d083aea842c3d1
SHA1c4125bb44a378049c482089e7dbb936ba902635a
SHA2564bd112b99936b5188c688896cf9f316f36a58a2a3a2ff979ec6bc0c054615104
SHA5129278868070d7de42d38985604a853151c173d6149fb45af8dddf1920924d5141ab85de54cc4de7c0ddf728dc3ac9112e87f4ab88f4ea4731890fa6ce66fd0494
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f5faabae-c99a-4405-9fa9-d9d5f3f00fda.tmp
Filesize11KB
MD5897e34dd20c7b232e3f73ccec9e64058
SHA11b3061f76da901cbdf663ea9e24fa688d9d087ae
SHA256e162357c2eb8d4e19cf77f30a1668839ce421adb096873019dd04487b7cdbb18
SHA5128c0e58fc0e665a6778b3bbf84d7b4603a570b465a90f723e2eb6a5a13a96658136610a5a5a8324e7fce6ed10326f2834237076288fa4bf079267ca96be875066
-
Filesize
264KB
MD5eb301a4b2981cbfa43fbee0b493c393b
SHA130e636da0f6cdabe9ea85506eb8a4245743980e1
SHA2561fbc3f8a030dad0286e7be4bd39e5a9c971d2c316ea1836c4e8316baf159f27d
SHA512318f75afe9c75a9c5f28de0b579d270a74964bc3491012ebbc94317a135c916a903504a504cba84e8fcb7095d810be0f84c2b501239b431a854f451f3de44bf0
-
Filesize
81KB
MD5ebdd196d0d2f92598572d1604fcb2c60
SHA14426ca9304078e0b7598f8e97bb68dd7d65c17ac
SHA2569b1d815628007aed07cfc7359e0009eac8d869a9c823ef8de09ffa4b08976918
SHA512585016060aa9f2a589b689af25d843be239d8e8f698fe1a59f1bc8fb73fa8c22814fa22cce56c9a8e6b2dda51887352118f0b7f94e530ceeaf5130fec3eea3da
-
Filesize
80KB
MD5d4352e0648ce801c3f00ac487ff660ad
SHA1d49166c7d606ac7eda79d810e69422c3bb0acc2c
SHA256861a701765ce90fecf0ca6a819589b3751ac34a8d45f5b37e7494438b6fd7e50
SHA512871a6cfed23ed82c50f3b9d6721222b79b0476e16db6944151297eee5e33231de4f01e00bdbbf5507cd0b8cca7a56b1bc6a486ff76b4769ac8275528d36dfd02
-
Filesize
81KB
MD5929dd3a6a7bd7c7d07d058cc164ddcc6
SHA188a60c854db7383f0ba535f5f98a18ff3a447445
SHA256974de74854c2a9e6f560ff350464f678e57c1186ec5eb0d811c9fe6812f98c71
SHA512391b40807a814550f5027b8ce7d525c9307ae38564170e48c5b4d6110e77e11fb6785fd8808a2441fa64e893e5dc2edb9b19a3be47bb97e4b0b543765ba423ff
-
Filesize
81KB
MD5d428c703dee152bfb547e23265a4ab3f
SHA185da73a75ef33d2a29fb944829006dedd3ba18a3
SHA256b81bebd8e0a34410cda12ff5d7600490ba199fc336e5cb0055365a093237facf
SHA51257f7d0825a2404a23b2cb3f3699c4130947ed49f762f846ef8b8db9e9579e87b51bc6000a429711a7bdfa59634e66cd3aa5b932ff33013dcec08fe632c1f670d
-
Filesize
81KB
MD5885cfea2f8deb8110bf6024df49a3d14
SHA1a8a65cc46cf648d2bc82d328d93f0a850c235246
SHA2567b4ff8e74adb75417b116891c67e4f0e63c95be0d7d965f090fa1ea0db85ea5a
SHA512ebb6e86975456f7cd2801056595cb333a36e5daea4cd7174512bf6a219cd35b2115dd39e7396b0f6827b5446df7d689ad85858e19c2c0e8e72e8e7c586a2f1cc
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98