dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
383s
max time network
384s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
29-02-2024 03:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma bootkit persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Control Panel\International\Geo\Nation	chrome.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 16 IoCs

Processes:

CoronaVirus.exeCoronaVirus.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exePowerPoint.exesys3.exe

pid	process
3488	CoronaVirus.exe
3788	CoronaVirus.exe
10568	chrome.exe
10296	chrome.exe
10748	chrome.exe
17456	chrome.exe
17316	chrome.exe
17092	chrome.exe
16816	chrome.exe
15788	chrome.exe
15808	chrome.exe
15604	chrome.exe
15448	chrome.exe
15424	chrome.exe
15076	PowerPoint.exe
14996	sys3.exe

Loads dropped DLL 12 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
10568	chrome.exe
10296	chrome.exe
10748	chrome.exe
17456	chrome.exe
17316	chrome.exe
17092	chrome.exe
16816	chrome.exe
15788	chrome.exe
15808	chrome.exe
15604	chrome.exe
15448	chrome.exe
15424	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2852630833-2010812756-3750823755-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

65 raw.githubusercontent.com
66 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

sys3.exePowerPoint.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 sys3.exe
File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileWide.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v11.1.dll.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-16.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\vi_get.svg.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\parchmnt.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\pages\winrthost.htm	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_cs.dll.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\PlaneCut.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11s.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-150_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\spider\2_Piece_Silk_Suit_.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_40x40x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_2x.png.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\paper_indiarough_512x512.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vreg\powerview.x-none.msi.16.x-none.vreg.dat.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Beihai_Common_Diagnostics.winmd	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Describe.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg.id-137E83CC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

31160 vssadmin.exe
9784 vssadmin.exe

pid	process
31160	vssadmin.exe
9784	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133536493636517159"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeCoronaVirus.exe

pid	process
3140	chrome.exe
3140	chrome.exe
3584	chrome.exe
3584	chrome.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe
3488	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe
3140 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

chrome.exe

pid	process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

14932 LogonUI.exe

pid	process
14932	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3140 wrote to memory of 3060	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 3060	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 2228	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 4868	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 4868	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe
PID 3140 wrote to memory of 1600	3140	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc6df89758,0x7ffc6df89768,0x7ffc6df89778
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:2
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3664 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4620 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5104 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1788 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:1464

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1080

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:2860

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:31160

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:10616

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:9808

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:9784

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:10032

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:9936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
PID:2600

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Executes dropped EXE
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5172 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:10568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5320 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:10296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5708 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:10748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6100 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:17456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5948 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:17316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5616 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:17092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5932 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2468 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=832 --field-trial-handle=1864,i,17570650891999577120,639678828770118720,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15448

C:\Users\Admin\Downloads\PowerPoint.exe
"C:\Users\Admin\Downloads\PowerPoint.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:15076

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:14996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:31188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aef855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:14932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-137E83CC.[coronavirus@qq.com].ncov
Filesize
2.9MB

MD5
c0e2b962e1f90b70b429534207a29f19

SHA1
5a7b7ef07fadba1c52f8acec85e8547ff854d76c

SHA256
f5627c0398c473d62f3b50b119193695127d7d1be2ea3aaa72d0e1d0c8f47c9a

SHA512
79fc2ed2a80a2457ee24384c65b52e22c40a13850303109c537e3735de98d0abc4459e2f38ec906fe8cf2a408a6855f63a680d67f29751c30047f02d87981c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8e65b8b0-6991-4064-90d1-74c733e44784.tmp
Filesize
7KB

MD5
4912cfcb37f5c04567292abeb8aa5b24

SHA1
cb43c2f2e56bbd554192c8f945d6cbbe1596638b

SHA256
ce00548d9bed422ac5c0ba3397c330930274f1f8cdc8a07b34f76fbeb02c3000

SHA512
4e1f4f82358e61697772e6fdd50df4616169b79545b9048a0883cc86c20e8e5660abeb9828ba3543bc30f21826f79b6b33e61caa47e4d6a8bcbe0e89a364d208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
00ef02e278334fa45dd2c9009731b256

SHA1
9f143f228381d4a266d7ec193de2a9b407974c30

SHA256
3d089696ee876a6dc910c7152fc7ae63324592207b6e0f96f0971cadce3fdb23

SHA512
6881a1f6859bf02d1ee8cd35daeccc07d601c17c3779dc2c619c154ba3817a79ef54bf28ca63e4b3b1b5cd9a330f7ca5ec02e0f0dc8521a1f68afbbb94e294fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
93d466acc31c64b35b6474bb090d3f2a

SHA1
6e8854b994090f23caf3f49bd136b5340342370f

SHA256
0a76a44f414612c8794470a445e73a2df07ffad79835a2185e7a1bd3c1be3f8a

SHA512
40abcd3cb9a84b52846c24058741284ea9b1a58bee9c90e9b1ffbf7983f84c935db98dd50d028e481b825bdc4e209865d5b8a5f8819edb0c2aa5a512cec4d115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
60b0d04fce0310b93212932698ba0650

SHA1
e169091f107192ea8fc81cdc66073b49c06776d3

SHA256
743896408d6c743eeee1ff9e824413a8c94055c63cdf3ba871b4c0a394f2b445

SHA512
11450e6955bf18583700488ca86f1914ba250f8231a10ba205a7d06fa1b662d55aa57c6973f81991cabbc64a1aaf213237816d2841ba359a730168d120d664ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
d5e241cdf5fd7241db3ba85702259ce2

SHA1
008a13cc40b77e1d71affcfb5a53b1ac4afcd396

SHA256
fe08b2e0bf6cc7cdf533940e94b5dff1f8044d19cffb1acde41e453dc0c02b12

SHA512
2da94d8f418ff1bbe9b8459ea17481bcaefbf9bea5238c2922b7dc9a11799ebcc78a73d82793c49c1f606eaf5c3b33d0dc6dba6c9920e6be159f2a24ecaeed20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
893b3fa88ba25dd09183d0462cabd83c

SHA1
2f6587e0273d30e0fd5752a41910a9ce15d14d55

SHA256
0fb192748f9fc0c7c54c79dfb31052955f18be1ddb96285cdffb830181fb9e13

SHA512
e8dac3828a4f026c464d8c988d21b912d102457f97bc929c54bfbfb00a5001338958f303699fb9a31f5b72e4707191d25d215f340328089ed6e7a36368fc0c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RFe5be53c.TMP
Filesize
1KB

MD5
f42b0d8aa17260803ef3379651d9cfe2

SHA1
2c0018982e55ef9376e666d42e8371f2721d1b88

SHA256
64eb65c6aaaa8c4064f09e2fa602e68c19494e35d7c3407b9e1695bc0ba0c935

SHA512
76c0182df1d3f92ff7bf3dc7ff250499986aa864eb3c95bc3e8ee4ecc0ffa824aaf4e1927c1f9e423e15403f6f6ec739e1337fdf9050fd29b341fe2cd20de02f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a57d5a7b4c38b304fd6cb3a2674158a4

SHA1
f1ce78a617a38f8577f4d0ef9a402d11cd256180

SHA256
8e919c27a788c3b66630272748eb61270cdf198857fe18508e3b25e0b0486047

SHA512
5b2e3162611f7d039073e2297165c6dab3bb4267faee3cf3e02719660f582e6cf663c2c88162287b32a4e5fae9de67f957a9aeb7141b88663e93d6fafade1334

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0dae26495914a30673eba5b07f53ebb0

SHA1
9f0364f7a05e84149134923efdec7b28f9a34a06

SHA256
6e1bcfa377b67df92a71a6cae8507f1e0a2b089d9e70cd73c9b683f7b96ce93b

SHA512
2ca5c2db293bc9cb4e2b3c41b52e4748cef44e9e20556259d045a5654864c3b2ea0453bf9f7d0b2f53cdd838602e753ee07eb0526b181e5ef7a8cbc43ffea157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4bab44e36750896bc57c49d30f4ec36b

SHA1
926b742a73e9d7b6f17417b9658e29d2179b6899

SHA256
add3aa9a01bffade35d8a51093498e18b884bbfcff95263724400572ad327b3d

SHA512
7459786cb3f311686f68c92f0c5aa61104632bc2fe210afed0bd577bd3b4a06c203d0e6ed3e0bf6173b050e7c6af8be23c91baf76fe12a1f1ec949f70c58aa49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b0192a82839f82f9a826a44051eed134

SHA1
051afcc01e9aef0ec06ec2d6cc0b8e0e3bf04ed0

SHA256
8dfc74fe1e20c0907a1f786f7b914125c449badc261d3fb07b506980c252b90e

SHA512
7e18ca2a7dca5f5c8e1d9e7cb5137440437a11dbd8666656fe117b8b90dada30c8e7e558c91fd9f1b4c74940de1e80cfb652d8ef8388e382ba2340a9a81a3ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8144b4f066cd7492ac844d19dbeb3d0c

SHA1
f15e84019e3d1c03ce8d954616f34c5a27caf7f4

SHA256
3bfac2fd5d2f2e4f8be820c136695e8ab4585c96929b07ef7511c4a94409a617

SHA512
5ed1091165e3a09c0c9342815b7c2a6167a4dc7013f7ecc13fa3e9d24026e0af82a161b71b3e3003932d822a355b586d3506f038342b08d7aa2b882276fbef62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
28dcc592c9474777d591edaea6817e3d

SHA1
1ff2bb2f6bdd62f13c8bf9c74fb9e3eb96dacb47

SHA256
88b4f13151108005f60dc4df05905956f427e0dfe2dc07ebae43b95d86f965fc

SHA512
f193f65e24a104b2958235f202c1d406720d0c31f950dbfe87799ac1baf910a8fe5fd531bfd7d3a9c07d0f753bb4b627c15eb3de7e82ecd8fe2680bea5f5ff06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe5b2f59.TMP
Filesize
1KB

MD5
2a29c2bbd75c2f3750e358c13d70d2b0

SHA1
9f7568739ba677c349cdb7566821f55de4c80687

SHA256
8bbdf8ca9f09aa02f61c0b6682d8f65bd98b09446926ba019d439a4af1fb5130

SHA512
0ccb2e5ed4f141ee3c5162b0ec709fc3eef3e4e38b7caf48157843105fe9f924c5643198afd4cf095c97317b243aa359ae0ad9ca4a6a84c7b698bee16e5caa7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b9ed5cef922a2716f36d6d825bd88483

SHA1
7c418a381cf3c0f838dc31053446d872c1073260

SHA256
900520acb82aabdd4ac563baf07b04da25b59c477cd58a550376cde9fd3ebc59

SHA512
a04f985845fb72d2bc34d50f0733a997ecd35edfc0dd9ae84cbda48c6fca487d8cb407366f668d5c273f3f9168d5c4602e0060f69f86292b63019bce2ac12e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4e4e90ffeca03fa95180c9f69c2248cd

SHA1
fafcc6e7e2249cf2ba89e9e79dcd99f14d50d51a

SHA256
a10043e0406526a25c542f7e45945fd674a7ed7665fefa96aa9fe3a405e57682

SHA512
d8ef63c4497f1ad5b19c0ae055b8bd28fc3726f260fc515d875d5d7aacc3266e582c090fede0958a1c521f8f1959c38845ff158784efdeb22af923aaf101422c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f828ec473d827047f9a49693cb03d6ee

SHA1
52dac884e887ed5ee06356eb9630a5abd8364933

SHA256
f1d5c047f0841c6dac0dd39f8dd819bfa7391a3dbcfac3f8813e295f83930711

SHA512
3c04027a1f8a475be503d6126c6b62b3a7c2f163eb7d44b3fbce7a72705ade126c8aaea9d25a13e40e64fecd1ac82c3360da5d2f8cc42bf05a603e325998f5f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9cdf909ed29720a327b240132a5afccb

SHA1
6c07625f242bb84a7efcccf8032e0340557cb43c

SHA256
822b18f1b5c42fd6f38a1c3285446404abab15559272f396abd5d2aa67637adb

SHA512
686b71d4ab886e2891a5f2b4fa74d30b2782585de8f65ae1ead05254b24bcfdeca886474c8787e7a0977b3267a8aecc6a14f6a4ca5c68e437c63f34e6f49f7d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1523df9412fc053f22780d4332a318d8

SHA1
73b26dde1022931e1c2a67ce1e8ceac6ab9122f2

SHA256
e5845ac4f49f4d946a83c0626a1570ca030d98510e1da0bb9ebbf04fb1d32eed

SHA512
9636ddf8278748a35c8efca3db924cc6d7701974c63040ea390a22d3f2019a339fc56b499b314629d50b81a2dbccc6e75f8677dc01abf9208171b6b041f729fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5b2d85.TMP
Filesize
6KB

MD5
55fc65ebad8308c6f3f3ceb01ea5db6e

SHA1
88e0f1b74cecb399e0c59b7b94dd5e08f489fec7

SHA256
4135c20a308efaacd69a8a50f52044b94cebd954b692f229f6208a7b8f0cf548

SHA512
0179b533a55f27d44820521ed208e29dfabcca0f44a849b9234e80b33585707b89d04f55361bf5bf7c0381d4c635fb7ccb001cf0da84b647197706c883a91a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
be01d1ae5a8ccad1adcf45a230476bb6

SHA1
d8a937ad7979b11104771a78f1883c4b7f9dc655

SHA256
dbdcaf624ee73c2f00778350cee2a153c278a7c3ba0d72cda92cfe0f09ea2c62

SHA512
80112fb1b8b70b4f377a4571e861ad8d1a791ed4d5be76ae16c39708b57ef3d6fc0012878a04b2771f4a1a77629f4c444135734a177fae6b6ec5a2903c808c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
affe0634b2f6a816e83ba343e3bc6db1

SHA1
ba0273a16d64c9a6f2c9a623ae987f88aa20b695

SHA256
9af79d6e4484517abc877bc6b8792ce683182cd521067dd751b52f267cd73bb8

SHA512
b5e7c103da45a5b2091e33511d89f10860e52291a535724e5f1f1b80705b2637ca6f303050d7bdc73e77fa4b8c49a8f5facb458e75d71f2461f6417f8634a699

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
92bde6324dbf07a738d97b6538026cac

SHA1
8e1765d42290b338d8fa0219fe7530ea9d8d398b

SHA256
6481d1006659e2274f072d0261ac5a86bc9bb7cb797076010ff91793459e9205

SHA512
174a3cd2b1f1885bbff0d57c7b2007031c615337722bccdea20376ff8a06be1daa818798b19f0c30b69ae09bbf5077e5d852b8c04327cad5b4dc0a68761b0449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe5b2d85.TMP
Filesize
130KB

MD5
96cc8685fee6919d6c4090108d575902

SHA1
40d379006780c302c1a0c897f6a4582fdd5cf995

SHA256
ff3cbad11d96fda7ff1f4620aa884c7b1a5ea803d6627a7ce121a3b325cbc95b

SHA512
b0571c994c0f73a54ac01bb3c45816364077ceb676ceded9655777fda370690a845b3f317d5e6f37790aef8192bbc234ea82bc6b6e0ce98ba26a5d1986b6f704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
9c40d0617c51bfb3e8c7093b337a3ae0

SHA1
3cb9e88ce0169f67a1401dcaa11e704baa2f3de3

SHA256
0fc324aa5c5f6b664519a84454fece77172e686b95b612caf93ce77d78917f77

SHA512
009f5284e51b5ecbe1f684d7cc0c056162567c2840b71162ccd695de3a29590da76461614e78b99d975f42484a09a2335f02eaef9816c91a70c1e2d8d8fb79e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a227d.TMP
Filesize
93KB

MD5
83565d35f59a2f70568f872238d60f78

SHA1
d0d046d007eb1934d0b070f0ecb16649c32141da

SHA256
77f0d05298818cd48c0141f43e3a175215bf200dfc4ee71addace43675f459d1

SHA512
9e39e8b490bd521e45d99eef7cdd7c2c1f68cec32239003dfcd9177e2af7ee77b426069746133dc5c6fed4c609695996122f8bd851dc716d4b338d67c0131a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
\??\pipe\crashpad_3140_XLINBALYRZKTXBWL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3488-297-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3488-7731-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3488-321-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3488-320-0x000000000AD30000-0x000000000AD64000-memory.dmp

Filesize
208KB

Download
memory/3788-21409-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3788-22233-0x000000000ABF0000-0x000000000AC24000-memory.dmp

Filesize
208KB

Download
memory/3788-22448-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/15076-22619-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/15076-22623-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads