dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

24-02-2024 23:16

240224-29fd5ahd4w 10

24-02-2024 22:21

24-02-2024 22:06

24-02-2024 22:03

24-02-2024 21:54

24-02-2024 21:50

Analysis

max time kernel
164s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 21:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops startup file 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini	CoronaVirus.exe

Drops file in System32 directory 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationTypes.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Process.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\WindowsFormsIntegration.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Primitives.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\WindowsBase.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Diagnostics.EventLog.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\PresentationUI.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-high.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\msquic.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\WindowsFormsIntegration.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationTypes.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClient.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationClientSideProviders.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.AeroLite.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.VisualC.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\UIAutomationClient.resources.dll	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-125_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationTypes.resources.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Design.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\MSFT.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Primitives.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Windows.Forms.Primitives.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Xaml.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\netstandard.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Json.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.FileSystem.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.InteropServices.dll.id-8E2CC7F1.[[email protected]].ncov	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

9184 vssadmin.exe

pid	process
9184	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532850198975768"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

chrome.exechrome.exeCoronaVirus.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1760	chrome.exe
1760	chrome.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe
3508	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1960 chrome.exe
1960 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1960 wrote to memory of 1068	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 1068	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2420	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2672	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 2672	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4564	1960	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff967229758,0x7ff967229768,0x7ff967229778
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:2
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:1
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2472 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 --field-trial-handle=1868,i,4840882716142353504,2307459005402577928,131072 /prefetch:8
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3408

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:6904

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:9184

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:17280

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:17984

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:17572

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:17632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:8608

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe"
1⤵
PID:13188

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
2⤵
PID:15312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395a855 /state1:0x41c64e6d
1⤵
PID:17456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-8E2CC7F1.[[email protected]].ncov
Filesize
320KB

MD5
287516ab05ca4f875329f6e97cec156b

SHA1
0dea7b1be1b9e6087955b0ea9b085e00857f1e57

SHA256
fd5e213557a3f115b8a760521d3446dabee1e420ec39f9897f71ab161b731cbd

SHA512
84f8c5b9750faa1e7040cad61fb9010d0a66939fe12bde738161a2ed22e7f70d9ee4ba97d02933e81e536416f5f02569ca7e820db3530885b731384b31cf1777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
0bff1a341a69fab84726696cc335c8f6

SHA1
0bf0ba8944d4bc68bee7d6dbe3987839075dbe5f

SHA256
e07b13f94d70812eb096cf87dc54cb43c834ca1c1846780b00dfc92e3d271d8b

SHA512
6f6ccd0153340b1ca4104b11101ac7fe0800ace83112a281bef7f8069033ed27e1c3ff379cb8d3a0a70b185a06e0f571cee16759349a5714d335e6ffe2705611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
06825c0454505e47a843a4697dcda7d8

SHA1
ce099f685d97b4b59f5c44d77cf3f9bfb7044fe7

SHA256
0c6f6fc0e827969df8acf6e2b2aa884b4022a8e36e37512597446dbfbb5420c5

SHA512
8bc421c17d74c83a49b4d317a3fa195dc504b6aff92ee92350e8e8a1d49e399af59c32608d3afd2e0e488d7ab6cce17d4a2615dc66a77f44feb1b090115678f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a72e017c100478fd88c8ce9b3a09ee30

SHA1
523c6728b0eeb81b5ffdd9bd918cf3fc9d4cd48f

SHA256
a7ca7b11bab15f4e33e6d721b269360de93e94027c6b98db29360848105f3ac8

SHA512
d50582806494ddf2464d338f4f1b00ae1a014fca13c13c7569299c28a94ced065f30ddc49a2df2a0ea0bf069c6363a195cf036a265b48068f52a9dbdae69dc75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
20a7f911af3339bac8c3a37484558e37

SHA1
b24da6b4b00d1b4a2d70998e776bf3b0a626f1da

SHA256
ac18c59b2fc5b45cfd931563077ed6966404298dd61873637fa9aff3bd00d673

SHA512
9f2868dae1f926e2e3aefa8260f4aa8716cc6c1587f75fea271b103d3c7722e10831007b1480c2e4371e1ebdc16b8ae8782b969eea4bcb0f041e7233493a7073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c4f83a7676a79ecd05c35b5f2fa06091

SHA1
712f261135ef7d69354fbcbc7d3f91e35b71dc00

SHA256
5f8418a239b507fc48d2bc9e37fd18f6d61050cb03a5fd65b84363efae92c54a

SHA512
e21ff3d3dee5bbeb31af4bad33cc4a46faf8c5a08d516a371d01ead5799864354d3108b9baea8de2f1797fab654898e60fd83e67c769798318e7ab26144611d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4a8235b5cf9eb05f7722bdb5ee91e691

SHA1
bf3c427086ee91bd953b3a1315c21d5f10ca4025

SHA256
d6841d7dcbbb6aac33028988db47733fa6f5ffabdcdadfef30ead61323e36e89

SHA512
e29f95abea35889889fa90e12e446d0fd633fb3086f0a9c92cb426cfad6137c208caebf0b63a1412ee17e4bca0089db42b3b61d7dfb24423bd8477afcb9ef5b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
42a6ff059115509b9528439a6bbf38d5

SHA1
ffc95dcba37817cda052cd48fe656810805b2eb3

SHA256
1f2a9727f9ec722b0b753fef37bb52079e54a97d216e1e7f8bf1e3810f03cedc

SHA512
a7419d02a4d626812830b7fccc7348bdc0aa963349286f9abbcfc8a5bd9e93762f820f77e88c5702fbdb1a42e450d4051bc4867f14794332196eadf928480f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4b12db6a83ebf5670f9d42a394dcf516

SHA1
a6f870806c1b73bb0018b2f2a8c69b199a53830a

SHA256
d7b07de8bac9b74957cef999b9a968f44d3a433f294899d0698b73f8290d8e0b

SHA512
dd56a7aa7e3a1158238de01eeabd4f0f4617ba8d4c36b2cf59183965b68371e42bbd7058e32af27805bd46f93df9b6e29901baf3c0aecf5e50f95ccd22ba3ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
72acb8ffdeadf54cce38fced841149ab

SHA1
8eef06354de640ac5082709001bc58a1d390c5e2

SHA256
c190887af48d655714bcfd7f32fa1764b10ff758e12bb4e65e8e4109abf6809a

SHA512
f79cf43cc3e57fe08e686a565bfb36dcae7a343b8383a60347c7bd52b3a2e41fd01bc348ae83494d43081ced9b4d56ac712e7cfb0902bdba9116454325b7e690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
8ba3c22ea8406bc9cb8ad417c1a2e58d

SHA1
fe6eecb86c1235ddf29118754aad1a518f93523c

SHA256
f31a3edaa0861c63cef98d562a81de414afa7d8e159f25c84d44453e8758dd03

SHA512
ea6557e4d236d12b8efe77438d32cd2b3cb39b25a503e8409c9393e6b9ade33b4474248afa44a86fd3a2da66286ef8ae2e301fa2d4bfe4dc998e9f9e478cd86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe597e7d.TMP
Filesize
103KB

MD5
0f991ac75adb2bfdd2f489b384915684

SHA1
7da823fc3d9675a2d16def6097de235849add683

SHA256
7a5a7d774affed81b860bb3c750f33e0bdf78de0b7b5f20794378ab8eb30dd98

SHA512
44de4faf07e0a798825886f1ddd766d38dbe550472f34b6e125080dafcb96cd84deb3992d629287e2d8fb028e3cca7803877d615389c44abf927d766cc1ee0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip
Filesize
3.6MB

MD5
003cb0cf638db1548c956a82d659c209

SHA1
1a9c9856c8f9c318aee5f3f7b3cee6ede05446e9

SHA256
ed684246ca8187d7edc1f7445b233e2bfe1be0276b08dfc75105a20205e7cd95

SHA512
32abdfd82d0c293e40d313e2aefb4b57bb97e5e7b96443fcaf0db73f5a0483677cb0dbeef45b5d287200672b88847052ded7c649617e7b53490f527c696e5547

Download Submit
\??\pipe\crashpad_1960_FQSSGEKXPHOXNJOX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3508-244-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/3508-245-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3508-243-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3508-5657-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/13188-18796-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/13188-24203-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/15312-24204-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads