Analysis
-
max time kernel
583s -
max time network
588s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 22:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://malx.tpsc.tech
Resource
win10v2004-20240226-en
General
-
Target
https://malx.tpsc.tech
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation CoronaVirus.exe -
Drops startup file 6 IoCs
Processes:
CoronaVirus.exetaskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe -
Executes dropped EXE 3 IoCs
Processes:
WinNuke.98.exeCoronaVirus.exeCoronaVirus.exepid process 4292 WinNuke.98.exe 3984 CoronaVirus.exe 7960 CoronaVirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.AppContext.dll CoronaVirus.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\WindowsBase.resources.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-heap-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Input.Manipulations.resources.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-namedpipe-l1-1-0.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\netstandard.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_cs_135x40.svg CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vcruntime140_1.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Input.Manipulations.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\office32mui.msi.16.en-us.vreg.dat.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.ResourceManager.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\BlockPair.bin CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.id-B2EEC3E0.[coronavirus@qq.com].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 7656 vssadmin.exe 18304 vssadmin.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exesvchost.exemsedge.exemsedge.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000002f492640692fb846b9bf5654fc07e4230000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 2b010000250100eeebbe17010400000000005900000031535053537def0c64fad111a2030000f81fedee3d00000005000000001f00000016000000500061006700650043006f006e00660069006700750072006500530065007400740069006e0067007300000000000000550000003153505330f125b7ef471a10a5f102608c9eebac390000000a000000001f0000001300000043007500730074006f006d0069007a0065002000530065007400740069006e0067007300000000000000000065000000315350538727bf5ccf480842b90eee5e5d4202944900000019000000001f0000001c0000004600690072006500770061006c006c0043006f006e00740072006f006c00500061006e0065006c002e0064006c006c002c002d0031000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{963E4A10-7720-4004-BC69-70063A07F6B1} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{5FBADA43-E5ED-4E6F-BD36-CB6E5E7A09D0} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 407668.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 949427.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3252 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exepid process 4284 msedge.exe 4284 msedge.exe 4008 msedge.exe 4008 msedge.exe 4896 identity_helper.exe 4896 identity_helper.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 2424 msedge.exe 2424 msedge.exe 2956 msedge.exe 2956 msedge.exe 4532 msedge.exe 4532 msedge.exe 2352 msedge.exe 2352 msedge.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe 3984 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
explorer.exevssvc.exetaskmgr.exedescription pid process Token: SeShutdownPrivilege 3252 explorer.exe Token: SeCreatePagefilePrivilege 3252 explorer.exe Token: SeBackupPrivilege 11604 vssvc.exe Token: SeRestorePrivilege 11604 vssvc.exe Token: SeAuditPrivilege 11604 vssvc.exe Token: SeDebugPrivilege 10060 taskmgr.exe Token: SeSystemProfilePrivilege 10060 taskmgr.exe Token: SeCreateGlobalPrivilege 10060 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeexplorer.exetaskmgr.exepid process 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 3252 explorer.exe 3252 explorer.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exetaskmgr.exepid process 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 4008 msedge.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe 10060 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4008 wrote to memory of 3812 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3812 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 1928 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 4284 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 4284 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe PID 4008 wrote to memory of 3828 4008 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malx.tpsc.tech1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff8cf5a46f8,0x7ff8cf5a4708,0x7ff8cf5a47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4112 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1500 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5236 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6852 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,3796044559278817008,12036090880858116161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta316baeahf29ah46efh8dd1h9fa404cc389f1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8cf5a46f8,0x7ff8cf5a4708,0x7ff8cf5a47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1360,7618525651593150069,5994101161630766311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B2EEC3E0.[coronavirus@qq.com].ncovFilesize
1.4MB
MD5e946756aa0c3512ec9ed4674abac2df4
SHA17b2a252f444241adf7969849076bc923835940b1
SHA2562a626fd6307c2294c019c677c577a797d16118f58505258c5c84db9a04353dd5
SHA5121cfebf8ecc444409860035ffab878333f6883479c8acc0068dbe6368805b0889857ad466cbf19102806165c0942ef9efaaa2ef84ab538685fc27cb049fd0b325
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5aa0ad16f3562b9b898f2527c98ce182e
SHA1813683109cde64ba42354323ea4f17c03e024ac0
SHA2567bf4e8a0937308eeb99301940dc18324f7d1b7366c4f28fd60379876e9b99589
SHA512202884bc1e159a19c8fe1c2b4b98d8865cf3b0f42fe9b41fa7bd3e76324eb9a91ab6a8f8c79a7712eb3741e36f7731b6e71ddc70f21b416a4abb3f291fe84147
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
2.4MB
MD514ca43a5509441cd1024cf6ac30b8115
SHA12bfb4ac44ea0c2ab1bf3c8ae6e05d8434753a218
SHA256d5e514ee39a3481009aab4325f084802e45a15f38fc85eb16b22115282f94af2
SHA5123c71562af0ea608508e59fbe0ff1fea3c662ebf4ba2a49a3c86b7d6e079f5af04c5947415da64e2f1857f722b7663b7ea9d21ba477196ea496de44c020a8b59b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-indexFilesize
2KB
MD540bb9552c7b73397e7412f7183ca4af9
SHA19e7be81dc83b40416e0794a099501ee2480e4107
SHA256da47c19f72842007d76e821d8c7b130e9dd7090c1d546a5d338e31d28ee8e079
SHA51281faa5c8209f94a5af9b692e07db8c974b8029e40d90e6779968bd9bebef8074e0ad53009089df312f7a5a7d05e1704cc311dc708704957769198cea5cbdcc11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD564872ba839f9586a26938c3d7ffea196
SHA15dc820b86b1617bda0c9b01daafa34db44b292d6
SHA256c0a512611ed84db07d6588f3128045be9f846e6f9c20cfdc6d5befb73746c621
SHA5121d776c21ce22832c97422ecb71a9077a7a64686da39826f1917554ca75e348fd47028f1ad489579eab3629568ff21d72b3394df1908aa396dbc9e7aebd424779
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5d845f2676aa1658b970758e62680f15c
SHA1183fef23cfe1dd9e3df23611e9f33c899f4d44bb
SHA25605672dc28496f09bbec8490c1b9d0951a94fb11c03ef5a305e53fd8280cc58b6
SHA512292a843579fb73d9678557b538bcfedde8cb59f6e05d3301880ef9c2e150cdc86bed52c618c8b0bc40687c78aaba58f20db169f648a179b541192eb7dce6c391
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD55577590b03db90def9e94fb0af60a90a
SHA134713f37122f57ae6aae55ed00717241c4b18d1a
SHA2563eda06aaaa03ab8f1ac22ba1703601d8a6ef685b10c7f4f0508b68b925790caf
SHA512df1dd35af2cfcbfa0384aa0402dde607edf6db088f6903244f9203420bb4b5b251264ccb4c9c9faa7fff7f883d38843617fab7bc7006a5bdf87c979a62fd2b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
936B
MD5cde865c28c3e6fb058ac0c0f0d055fee
SHA1f4cb49dbf9f8b286a70a16641dce6d954e8c76dc
SHA256f062ec83100454fab2269180554cfb7a4caaa57abee4426abda07152b6c2d8b4
SHA512c337349ade4a7d2df59464ffb3c3ead13726d01e4caf9867b555816a0f897cf83c6311c40711815cbd7b89faa09478acd3dbf83daf36675b5165be8ba5c4885a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
781B
MD56fca5983dad960dea48f3179844db3f0
SHA10bb0fa9a23aa573369c914e84f82b9e8ba2978b0
SHA256493f5768716f5680efdbee62e2000ef1bf713038edf07afa6eaf09fc3f7ce0a9
SHA5125480eb1ae1a814ba976973f6b783abe659e9c6771c7ded1dfca8a7b4aadac88bd7bdd449275e775efc6e20d6e86234681cf9a6be343321fec0b4acfd102f29f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD583b30f6c8c5b51edb2b065e9642ba75f
SHA18c21be75dc969d1004989eaba6c0b6e2fea83961
SHA256fbced01b249cc9d478fd4c8057b8861bf39a1f5803e72b6939c525b8630d3aa6
SHA5128105714568d0e7d31216057636440f6557343cb03b03d2f5180be37be2a624858d6f85c1df32c48de12b7bbd597b412d22f9dcda2e9bef2e4dfa99627903552e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD52d1c3dbf8563f35ed6bd4ba8d0a621a4
SHA1be76d9f18915e9b69e3b910402c12027b2ab949c
SHA2563640fc485002feef0142418c9735f4189aaa83beaf3481382776f8dfbdeb7397
SHA512f13e407d9ce59b7cf5cfc8bdde021cffb531b387904c379266443f64ada5d3225e60b52e82070fb2f38ca33b5707ab22da4d239b4bcec3a79aa7def53c108482
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5470e2b6aa11ff50d750cb1d18b49d257
SHA152bd3a6e8d99d56a427e03338e6bf9c84d09d4f9
SHA256b552854c2e8da9001b9372f5ad5f6900c839418a350658bfd83bd54659e8797a
SHA5121c24ec1fd47d663ef8e5fefc462d6572d8612e71ca82db807f184837411efd937fdcfcb5616669b98172ced5fe53bb11bdebe76206914f815438969722c63722
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD508bc54bd339c612823f0f64f6f7727cb
SHA103d39c443bf15158d62e205f4573473a3c053ddc
SHA256e656b05777f3ab30add74ed2a60c781dede957f0a27f200a0803f8eb5669cac0
SHA512bea754d400c3a871b8515eb2c8c9b15ffe15caa9fe272c93e99a73cbb102cf0475b0e972d096406fcd2d9b2ea34020b6ec2ee45b6def42dda5eb8681591633a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f3cd0121cc81bcff1744495a94c4194c
SHA163d6e6598bffee33a22f267053e9809584ab5d5b
SHA256ded4ed396597538da471f1352b7456096d945bf3d2879b20531a6f23a12412bb
SHA512f241c3737fd3045906dd53777f0cc7dff5af0fed4293fe298519b8def236fda956bfee55cfde2a7e297dd955d5b80dc4e08bd92e03ef700f6471cbd6b009bb13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d6999a220e60fc3937d5dbaba5ea772d
SHA1ba45ff6390d2cd5877c7398b97ed013d1244a5f8
SHA2561ea71a70d425b3473d701b3e9a414120ee5f0350ab35d339d17d124c01242bbd
SHA51269376b69b20e0e16d1cf7e1856f1abd5180e581cf8c89867a7c2819db115c46f203441d8129b790d607543f206d3a0ed4f70f14246ef01aae13733147f1faf54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a41bb2f372afdb0c84313b85fb503929
SHA1b0a4a1c1c0300cd7c190abe2c4c4ea18497d91bf
SHA256081e282db41f9bcf56f9a8896db2b157c416c238e64ba8c938b6dc2019b99829
SHA512bfe582cbffc37950ae9a1657ffb30dccd1960edbf1b00876fd945047e252dcbef31590777b8b5129142934e006fb779cc107c7d95affac46f253a4791beb2898
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5415b849a3831f756c8ec57f33a4bbc0a
SHA1198c6e5a789c61332b598e21a37635f951ecc5d3
SHA2560647885b8087a17dc9d247761d70714c58ec4a3b565d0463ed3c364c7dda0100
SHA512bb53ab122116389949583f9bce64c00ec0b8dc450627cd28ec56d0033220095095a9129dff7365d77827b0ebd853eb959948bad8a478a5c9e8feee89b674f7a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b84432fa897e524c5898b597aa939230
SHA1fdd619ab878c762feedcad3fa50774343219c1d0
SHA256dd7c81300f057546f4fefd90582ec6ce3a27a5af11bca49a241154e8f760299f
SHA512cc0485ecacc6fd3e8a9bb75710f530feeb8a724eee684949c56c35b4e88a342e59b6e79698034e0558e37ce4480c7253a70abd375a27fd556ff6bbdcc933368a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e0e0de62fb2bea07a6c3fefc49f6689f
SHA1766b359adcbb8233cfc9cace1b0dfc60be948a99
SHA256148521bca1f3beb06fc9e9b840ca2c3de66830246d381d6606ff8926a9cff52f
SHA51210cd4417eb03b7c57300f373801c7f5f75e75fff9a0b5437f52f885e46f0109388c92b29e39a62347364ca1f49575121a4b9ee9a64a13decc4574b0d5499ebee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c0fee5ca0b84ddbe77de72569cd117f1
SHA19e9eb189488f44178474e4eb6bbcee7d2ab5b7d8
SHA256d1911ba3ef22b717db0150a671ef98915ed59b29299d24b362ae8636f10ca4a6
SHA5121ec50243db2274720c705f357e21d6d274a71a2bfa5ada0e6fd1dae82088e7f0102c8b590234a2091917e4c14787050d3e1b5c37bf6906d31f6baab4cee1e674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d039c.TMPFilesize
538B
MD5b7b2b9036992abf20771147bcd7971a4
SHA11af958f5396d10f80931c52e6aa4be7c6a8eab65
SHA2567cd67c08e437dec2c633757347bc91dc8a79aa0f9d37e3ba5f8199b013e57d14
SHA512b5a76f16036aaf622dfefd6f7e2084f0033b663dd3751e49951775596d6356ddf3b7b21be22874b614fe44a67f15b86b261c5441fb6b552dcecac332d56e7a44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5790b209376fcffeb3b3303bf57fb7b78
SHA1ac7a924c9cfea73c3c7dc488003e40ffb812cc47
SHA25632e23883d553fa996b9c02b910ca1e07d6d671393bded129a99dc96ada5c6028
SHA512a5a91d400ef9544082ee537adc487108a9c484286b7236c3d9dbe6a866c354d4676d88a3d7c9844f4a347893e04f0cba49d95d1e96b782b8e83bdeb1697e83ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fbbe6d171d04a66e2cb1d31a514a844f
SHA13a58acc593f832d53067464c64a2803d3ac32cd2
SHA25606367474949d0bfa944e823fbeb286ad0939da66698f0dab7a99c299387a4941
SHA5123b2ff65cc1f12d535bf2a36d4816c7b465a82ab30d2296f489e101e4868edb6a839e3e06e5bd97cea7c43f7efaa36b94ab973e044836aa2b3d2ae5b0a7d8596f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b9558f8809d6d08801cf8da2800c81d6
SHA14c42497a89ace11500c676be463ce8c19153875f
SHA2565c5f7af06966a4d362351b88605960f7b4aee906e8da3fcd3165f6a5bd515dcf
SHA512e05b9f1c8368f45121a142bb7b5ec362c03ce819f97a9e9a1d7507fa28ccc35202fb9c903e2a5405e46641566a3452f997b1be4dad4c7fce69b33bfdfd961afe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c1de7370151f5ae275b2c3f35fc44496
SHA1e6b5a944a80d4d942dd37b8633ee232e63099194
SHA256eed77d161e1eee23e982d91c98b1ae2c43ef4cfc9378b0363412d6fe084d3d33
SHA512ae5797dd60a36e0e4c13761d1a753ee02ff53ea4803ed61eb10e0f11c317fd8c74f04e119b59fc6654a45f0443a9dd4639e7b7a8eef65549e2225b03c3c58d96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5536f62db4366c4b0c866cb4daf84d73f
SHA1f9f2c5850a6a01767de5dd38aead6f0932913ed7
SHA25694709a6feb1043eb9d9c79d313b6e5706b66aacbf8303f889fb6a5bb45e00796
SHA5129037355b36f2a78eb930a39b8c08b9bbfe94aa02d6b35fad1d787be184a14aa42f0c9b35e0a308a879e2080ade7ec60c7e3d301fef9f93c4d5e1f7d71210cac4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54c23e937ee75c74eb4c54d8a4eef5f54
SHA1256a05de1121e83bd65b51a76164457da8773138
SHA256cefba249bb63d8d8dbaadd4640d44d903a3ad02dabd4034fe235c34f7dce33c3
SHA5120932f3d53044128ccff73dc123c949cac9ab6debec34381242e0e2f918fe75cca0a6c58fe6ab3f93b10ea8919ffc3ce1a026538f96f13fa08dadc6fc36db9c96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Downloads\CoronaVirus.exeFilesize
320KB
MD504de17d6829c0fa05e6810675fbf0d8a
SHA1f264c875ce3ffec0e767057cb7a9cd735bd96060
SHA256200e24b27e6377dcfec72e44e9b2f2a9c80acb9a5c89c8fa9bfc63a7a0c2155a
SHA5127ffb8f30bf9b9185e127dd52bbb0f8a1ac5f64dc3a67527e9f2f2966666aca3a19246a9e8f4d99caf203e56897caa669f327512b5769b0586273734e7646e8eb
-
C:\Users\Admin\Downloads\CoronaVirus.exeFilesize
551KB
MD570689235fed9188ec1c29c535cd9854b
SHA197fac1131adbce27d63dfd711b7052b20bc290a1
SHA2567ba6bacea29ccc7379a4d7d4c30368f3eec687a87049c44839917b582e900ee4
SHA51203a8b6788c2a20ba103cad9c6d3f3de360c5c2ebb420202182c0ce86452f04f6c58ad43649fb5e7ec36467efbb915797c73c8329c841f35fb3e818ce7bc255ad
-
C:\Users\Admin\Downloads\Unconfirmed 407668.crdownloadFilesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
C:\Users\Admin\Downloads\Unconfirmed 949427.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Videos\Captures\desktop.iniFilesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
\??\pipe\LOCAL\crashpad_4008_ULUECXJAYRLFYSHPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3984-758-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3984-770-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/3984-771-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3984-3289-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/7960-3308-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/7960-8987-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/7960-6476-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/7960-6208-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/10060-25103-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25102-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25104-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25108-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25109-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25111-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25114-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25115-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25116-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB
-
memory/10060-25117-0x000001FE34B70000-0x000001FE34B71000-memory.dmpFilesize
4KB