dharma | hxxps://malx[.]tpsc[.]tech

Analysis

max time kernel
583s
max time network
588s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://malx.tpsc.tech

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Drops startup file 6 IoCs

Processes:

CoronaVirus.exetaskmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 3 IoCs

Processes:

WinNuke.98.exeCoronaVirus.exeCoronaVirus.exe

pid process

4292 WinNuke.98.exe
3984 CoronaVirus.exe
7960 CoronaVirus.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4292	WinNuke.98.exe
3984	CoronaVirus.exe
7960	CoronaVirus.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

112 raw.githubusercontent.com
113 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
112	raw.githubusercontent.com
113	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.AppContext.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\WindowsBase.resources.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-heap-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Input.Manipulations.resources.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-namedpipe-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\netstandard.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vcruntime140_1.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Input.Manipulations.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office32mui.msi.16.en-us.vreg.dat.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.ResourceManager.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\BlockPair.bin	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

7656 vssadmin.exe
18304 vssadmin.exe

pid	process
7656	vssadmin.exe
18304	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exesvchost.exemsedge.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000002f492640692fb846b9bf5654fc07e4230000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 2b010000250100eeebbe17010400000000005900000031535053537def0c64fad111a2030000f81fedee3d00000005000000001f00000016000000500061006700650043006f006e00660069006700750072006500530065007400740069006e0067007300000000000000550000003153505330f125b7ef471a10a5f102608c9eebac390000000a000000001f0000001300000043007500730074006f006d0069007a0065002000530065007400740069006e0067007300000000000000000065000000315350538727bf5ccf480842b90eee5e5d4202944900000019000000001f0000001c0000004600690072006500770061006c006c0043006f006e00740072006f006c00500061006e0065006c002e0064006c006c002c002d0031000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{963E4A10-7720-4004-BC69-70063A07F6B1}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{5FBADA43-E5ED-4E6F-BD36-CB6E5E7A09D0}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 407668.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 949427.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3252 explorer.exe

pid	process
3252	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exe

pid	process
4284	msedge.exe
4284	msedge.exe
4008	msedge.exe
4008	msedge.exe
4896	identity_helper.exe
4896	identity_helper.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
4796	msedge.exe
2424	msedge.exe
2424	msedge.exe
2956	msedge.exe
2956	msedge.exe
4532	msedge.exe
4532	msedge.exe
2352	msedge.exe
2352	msedge.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe
3984	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

explorer.exevssvc.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	3252	explorer.exe
Token: SeCreatePagefilePrivilege	3252	explorer.exe
Token: SeBackupPrivilege	11604	vssvc.exe
Token: SeRestorePrivilege	11604	vssvc.exe
Token: SeAuditPrivilege	11604	vssvc.exe
Token: SeDebugPrivilege	10060	taskmgr.exe
Token: SeSystemProfilePrivilege	10060	taskmgr.exe
Token: SeCreateGlobalPrivilege	10060	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeexplorer.exetaskmgr.exe

pid	process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
3252	explorer.exe
3252	explorer.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe
10060	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4008 wrote to memory of 3812	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3812	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 1928	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 4284	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 4284	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe
PID 4008 wrote to memory of 3828	4008	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malx.tpsc.tech
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff8cf5a46f8,0x7ff8cf5a4708,0x7ff8cf5a4718
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
2⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
2⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
2⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4112 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1500 /prefetch:8
2⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
2⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6852 /prefetch:8
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
2⤵
- Executes dropped EXE
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:648

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:8156

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:7656

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:22504

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:18392

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:18304

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:17648

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:17820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta316baeahf29ah46efh8dd1h9fa404cc389f
1⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8cf5a46f8,0x7ff8cf5a4708,0x7ff8cf5a4718
2⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1360,7618525651593150069,5994101161630766311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2724

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3252

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3856

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:7960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:11604

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:10060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:18232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov
Filesize
1.4MB

MD5
e946756aa0c3512ec9ed4674abac2df4

SHA1
7b2a252f444241adf7969849076bc923835940b1

SHA256
2a626fd6307c2294c019c677c577a797d16118f58505258c5c84db9a04353dd5

SHA512
1cfebf8ecc444409860035ffab878333f6883479c8acc0068dbe6368805b0889857ad466cbf19102806165c0942ef9efaaa2ef84ab538685fc27cb049fd0b325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aa0ad16f3562b9b898f2527c98ce182e

SHA1
813683109cde64ba42354323ea4f17c03e024ac0

SHA256
7bf4e8a0937308eeb99301940dc18324f7d1b7366c4f28fd60379876e9b99589

SHA512
202884bc1e159a19c8fe1c2b4b98d8865cf3b0f42fe9b41fa7bd3e76324eb9a91ab6a8f8c79a7712eb3741e36f7731b6e71ddc70f21b416a4abb3f291fe84147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
2.4MB

MD5
14ca43a5509441cd1024cf6ac30b8115

SHA1
2bfb4ac44ea0c2ab1bf3c8ae6e05d8434753a218

SHA256
d5e514ee39a3481009aab4325f084802e45a15f38fc85eb16b22115282f94af2

SHA512
3c71562af0ea608508e59fbe0ff1fea3c662ebf4ba2a49a3c86b7d6e079f5af04c5947415da64e2f1857f722b7663b7ea9d21ba477196ea496de44c020a8b59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
40bb9552c7b73397e7412f7183ca4af9

SHA1
9e7be81dc83b40416e0794a099501ee2480e4107

SHA256
da47c19f72842007d76e821d8c7b130e9dd7090c1d546a5d338e31d28ee8e079

SHA512
81faa5c8209f94a5af9b692e07db8c974b8029e40d90e6779968bd9bebef8074e0ad53009089df312f7a5a7d05e1704cc311dc708704957769198cea5cbdcc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
64872ba839f9586a26938c3d7ffea196

SHA1
5dc820b86b1617bda0c9b01daafa34db44b292d6

SHA256
c0a512611ed84db07d6588f3128045be9f846e6f9c20cfdc6d5befb73746c621

SHA512
1d776c21ce22832c97422ecb71a9077a7a64686da39826f1917554ca75e348fd47028f1ad489579eab3629568ff21d72b3394df1908aa396dbc9e7aebd424779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
d845f2676aa1658b970758e62680f15c

SHA1
183fef23cfe1dd9e3df23611e9f33c899f4d44bb

SHA256
05672dc28496f09bbec8490c1b9d0951a94fb11c03ef5a305e53fd8280cc58b6

SHA512
292a843579fb73d9678557b538bcfedde8cb59f6e05d3301880ef9c2e150cdc86bed52c618c8b0bc40687c78aaba58f20db169f648a179b541192eb7dce6c391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
5577590b03db90def9e94fb0af60a90a

SHA1
34713f37122f57ae6aae55ed00717241c4b18d1a

SHA256
3eda06aaaa03ab8f1ac22ba1703601d8a6ef685b10c7f4f0508b68b925790caf

SHA512
df1dd35af2cfcbfa0384aa0402dde607edf6db088f6903244f9203420bb4b5b251264ccb4c9c9faa7fff7f883d38843617fab7bc7006a5bdf87c979a62fd2b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
936B

MD5
cde865c28c3e6fb058ac0c0f0d055fee

SHA1
f4cb49dbf9f8b286a70a16641dce6d954e8c76dc

SHA256
f062ec83100454fab2269180554cfb7a4caaa57abee4426abda07152b6c2d8b4

SHA512
c337349ade4a7d2df59464ffb3c3ead13726d01e4caf9867b555816a0f897cf83c6311c40711815cbd7b89faa09478acd3dbf83daf36675b5165be8ba5c4885a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
781B

MD5
6fca5983dad960dea48f3179844db3f0

SHA1
0bb0fa9a23aa573369c914e84f82b9e8ba2978b0

SHA256
493f5768716f5680efdbee62e2000ef1bf713038edf07afa6eaf09fc3f7ce0a9

SHA512
5480eb1ae1a814ba976973f6b783abe659e9c6771c7ded1dfca8a7b4aadac88bd7bdd449275e775efc6e20d6e86234681cf9a6be343321fec0b4acfd102f29f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
83b30f6c8c5b51edb2b065e9642ba75f

SHA1
8c21be75dc969d1004989eaba6c0b6e2fea83961

SHA256
fbced01b249cc9d478fd4c8057b8861bf39a1f5803e72b6939c525b8630d3aa6

SHA512
8105714568d0e7d31216057636440f6557343cb03b03d2f5180be37be2a624858d6f85c1df32c48de12b7bbd597b412d22f9dcda2e9bef2e4dfa99627903552e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2d1c3dbf8563f35ed6bd4ba8d0a621a4

SHA1
be76d9f18915e9b69e3b910402c12027b2ab949c

SHA256
3640fc485002feef0142418c9735f4189aaa83beaf3481382776f8dfbdeb7397

SHA512
f13e407d9ce59b7cf5cfc8bdde021cffb531b387904c379266443f64ada5d3225e60b52e82070fb2f38ca33b5707ab22da4d239b4bcec3a79aa7def53c108482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
470e2b6aa11ff50d750cb1d18b49d257

SHA1
52bd3a6e8d99d56a427e03338e6bf9c84d09d4f9

SHA256
b552854c2e8da9001b9372f5ad5f6900c839418a350658bfd83bd54659e8797a

SHA512
1c24ec1fd47d663ef8e5fefc462d6572d8612e71ca82db807f184837411efd937fdcfcb5616669b98172ced5fe53bb11bdebe76206914f815438969722c63722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
08bc54bd339c612823f0f64f6f7727cb

SHA1
03d39c443bf15158d62e205f4573473a3c053ddc

SHA256
e656b05777f3ab30add74ed2a60c781dede957f0a27f200a0803f8eb5669cac0

SHA512
bea754d400c3a871b8515eb2c8c9b15ffe15caa9fe272c93e99a73cbb102cf0475b0e972d096406fcd2d9b2ea34020b6ec2ee45b6def42dda5eb8681591633a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
f3cd0121cc81bcff1744495a94c4194c

SHA1
63d6e6598bffee33a22f267053e9809584ab5d5b

SHA256
ded4ed396597538da471f1352b7456096d945bf3d2879b20531a6f23a12412bb

SHA512
f241c3737fd3045906dd53777f0cc7dff5af0fed4293fe298519b8def236fda956bfee55cfde2a7e297dd955d5b80dc4e08bd92e03ef700f6471cbd6b009bb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d6999a220e60fc3937d5dbaba5ea772d

SHA1
ba45ff6390d2cd5877c7398b97ed013d1244a5f8

SHA256
1ea71a70d425b3473d701b3e9a414120ee5f0350ab35d339d17d124c01242bbd

SHA512
69376b69b20e0e16d1cf7e1856f1abd5180e581cf8c89867a7c2819db115c46f203441d8129b790d607543f206d3a0ed4f70f14246ef01aae13733147f1faf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a41bb2f372afdb0c84313b85fb503929

SHA1
b0a4a1c1c0300cd7c190abe2c4c4ea18497d91bf

SHA256
081e282db41f9bcf56f9a8896db2b157c416c238e64ba8c938b6dc2019b99829

SHA512
bfe582cbffc37950ae9a1657ffb30dccd1960edbf1b00876fd945047e252dcbef31590777b8b5129142934e006fb779cc107c7d95affac46f253a4791beb2898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
415b849a3831f756c8ec57f33a4bbc0a

SHA1
198c6e5a789c61332b598e21a37635f951ecc5d3

SHA256
0647885b8087a17dc9d247761d70714c58ec4a3b565d0463ed3c364c7dda0100

SHA512
bb53ab122116389949583f9bce64c00ec0b8dc450627cd28ec56d0033220095095a9129dff7365d77827b0ebd853eb959948bad8a478a5c9e8feee89b674f7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b84432fa897e524c5898b597aa939230

SHA1
fdd619ab878c762feedcad3fa50774343219c1d0

SHA256
dd7c81300f057546f4fefd90582ec6ce3a27a5af11bca49a241154e8f760299f

SHA512
cc0485ecacc6fd3e8a9bb75710f530feeb8a724eee684949c56c35b4e88a342e59b6e79698034e0558e37ce4480c7253a70abd375a27fd556ff6bbdcc933368a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e0e0de62fb2bea07a6c3fefc49f6689f

SHA1
766b359adcbb8233cfc9cace1b0dfc60be948a99

SHA256
148521bca1f3beb06fc9e9b840ca2c3de66830246d381d6606ff8926a9cff52f

SHA512
10cd4417eb03b7c57300f373801c7f5f75e75fff9a0b5437f52f885e46f0109388c92b29e39a62347364ca1f49575121a4b9ee9a64a13decc4574b0d5499ebee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c0fee5ca0b84ddbe77de72569cd117f1

SHA1
9e9eb189488f44178474e4eb6bbcee7d2ab5b7d8

SHA256
d1911ba3ef22b717db0150a671ef98915ed59b29299d24b362ae8636f10ca4a6

SHA512
1ec50243db2274720c705f357e21d6d274a71a2bfa5ada0e6fd1dae82088e7f0102c8b590234a2091917e4c14787050d3e1b5c37bf6906d31f6baab4cee1e674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d039c.TMP
Filesize
538B

MD5
b7b2b9036992abf20771147bcd7971a4

SHA1
1af958f5396d10f80931c52e6aa4be7c6a8eab65

SHA256
7cd67c08e437dec2c633757347bc91dc8a79aa0f9d37e3ba5f8199b013e57d14

SHA512
b5a76f16036aaf622dfefd6f7e2084f0033b663dd3751e49951775596d6356ddf3b7b21be22874b614fe44a67f15b86b261c5441fb6b552dcecac332d56e7a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
790b209376fcffeb3b3303bf57fb7b78

SHA1
ac7a924c9cfea73c3c7dc488003e40ffb812cc47

SHA256
32e23883d553fa996b9c02b910ca1e07d6d671393bded129a99dc96ada5c6028

SHA512
a5a91d400ef9544082ee537adc487108a9c484286b7236c3d9dbe6a866c354d4676d88a3d7c9844f4a347893e04f0cba49d95d1e96b782b8e83bdeb1697e83ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fbbe6d171d04a66e2cb1d31a514a844f

SHA1
3a58acc593f832d53067464c64a2803d3ac32cd2

SHA256
06367474949d0bfa944e823fbeb286ad0939da66698f0dab7a99c299387a4941

SHA512
3b2ff65cc1f12d535bf2a36d4816c7b465a82ab30d2296f489e101e4868edb6a839e3e06e5bd97cea7c43f7efaa36b94ab973e044836aa2b3d2ae5b0a7d8596f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b9558f8809d6d08801cf8da2800c81d6

SHA1
4c42497a89ace11500c676be463ce8c19153875f

SHA256
5c5f7af06966a4d362351b88605960f7b4aee906e8da3fcd3165f6a5bd515dcf

SHA512
e05b9f1c8368f45121a142bb7b5ec362c03ce819f97a9e9a1d7507fa28ccc35202fb9c903e2a5405e46641566a3452f997b1be4dad4c7fce69b33bfdfd961afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c1de7370151f5ae275b2c3f35fc44496

SHA1
e6b5a944a80d4d942dd37b8633ee232e63099194

SHA256
eed77d161e1eee23e982d91c98b1ae2c43ef4cfc9378b0363412d6fe084d3d33

SHA512
ae5797dd60a36e0e4c13761d1a753ee02ff53ea4803ed61eb10e0f11c317fd8c74f04e119b59fc6654a45f0443a9dd4639e7b7a8eef65549e2225b03c3c58d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
536f62db4366c4b0c866cb4daf84d73f

SHA1
f9f2c5850a6a01767de5dd38aead6f0932913ed7

SHA256
94709a6feb1043eb9d9c79d313b6e5706b66aacbf8303f889fb6a5bb45e00796

SHA512
9037355b36f2a78eb930a39b8c08b9bbfe94aa02d6b35fad1d787be184a14aa42f0c9b35e0a308a879e2080ade7ec60c7e3d301fef9f93c4d5e1f7d71210cac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
4c23e937ee75c74eb4c54d8a4eef5f54

SHA1
256a05de1121e83bd65b51a76164457da8773138

SHA256
cefba249bb63d8d8dbaadd4640d44d903a3ad02dabd4034fe235c34f7dce33c3

SHA512
0932f3d53044128ccff73dc123c949cac9ab6debec34381242e0e2f918fe75cca0a6c58fe6ab3f93b10ea8919ffc3ce1a026538f96f13fa08dadc6fc36db9c96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe
Filesize
320KB

MD5
04de17d6829c0fa05e6810675fbf0d8a

SHA1
f264c875ce3ffec0e767057cb7a9cd735bd96060

SHA256
200e24b27e6377dcfec72e44e9b2f2a9c80acb9a5c89c8fa9bfc63a7a0c2155a

SHA512
7ffb8f30bf9b9185e127dd52bbb0f8a1ac5f64dc3a67527e9f2f2966666aca3a19246a9e8f4d99caf203e56897caa669f327512b5769b0586273734e7646e8eb

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe
Filesize
551KB

MD5
70689235fed9188ec1c29c535cd9854b

SHA1
97fac1131adbce27d63dfd711b7052b20bc290a1

SHA256
7ba6bacea29ccc7379a4d7d4c30368f3eec687a87049c44839917b582e900ee4

SHA512
03a8b6788c2a20ba103cad9c6d3f3de360c5c2ebb420202182c0ce86452f04f6c58ad43649fb5e7ec36467efbb915797c73c8329c841f35fb3e818ce7bc255ad

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 407668.crdownload
Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 949427.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
\??\pipe\LOCAL\crashpad_4008_ULUECXJAYRLFYSHP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3984-758-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3984-770-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/3984-771-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3984-3289-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7960-3308-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7960-8987-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7960-6476-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7960-6208-0x000000000ADC0000-0x000000000ADF4000-memory.dmp

Filesize
208KB

Download
memory/10060-25103-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25102-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25104-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25108-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25109-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25111-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25114-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25115-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25116-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download
memory/10060-25117-0x000001FE34B70000-0x000001FE34B71000-memory.dmp

Filesize
4KB

Download