dharma | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

Analysis

max time kernel
356s
max time network
364s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11-03-2024 15:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Compressed (zipped) Folder.zip
Size

22B
MD5

76cdb2bad9582d23c1f6f4d868218d6c
SHA1

b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256

8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512

5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (535) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

CoronaVirus.exe

pid process

1308 CoronaVirus.exe

pid	process
1308	CoronaVirus.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 3 IoCs

Processes:

CoronaVirus.exeCoronaVirus.exeCoronaVirus.exe

pid process

1308 CoronaVirus.exe
468 CoronaVirus.exe
18076 CoronaVirus.exe
Loads dropped DLL 1 IoCs

Processes:

msedge.exe

pid process

6672 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1308	CoronaVirus.exe
468	CoronaVirus.exe
18076	CoronaVirus.exe

pid	process
6672	msedge.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-160263616-143223877-1356318919-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-160263616-143223877-1356318919-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

70 raw.githubusercontent.com
79 raw.githubusercontent.com
80 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
70	raw.githubusercontent.com
79	raw.githubusercontent.com
80	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-32_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\Dropdown\index.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadMedTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.21012.10511.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationProvider.resources.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\Microsoft.VisualBasic.Forms.resources.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\SourceAppService.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado25.tlb	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintWideTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\IStyleSet.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nl_135x40.svg.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Slider_Click_Sound.wma	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-72.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\ui-strings.js.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-16_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-125.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text.cur.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\ChoiceGroupOption.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Net.NameResolution.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-72.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png.id-49027615.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideLogo.scale-100.png	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

13012 vssadmin.exe
13352 vssadmin.exe

pid	process
13012	vssadmin.exe
13352	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "212"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 887257.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeCoronaVirus.exe

pid	process
1320	msedge.exe
1320	msedge.exe
2604	msedge.exe
2604	msedge.exe
1600	msedge.exe
1600	msedge.exe
4576	identity_helper.exe
4576	identity_helper.exe
4632	msedge.exe
4632	msedge.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe
1308	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 12744 vssvc.exe
Token: SeRestorePrivilege 12744 vssvc.exe
Token: SeAuditPrivilege 12744 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	12744	vssvc.exe
Token: SeRestorePrivilege	12744	vssvc.exe
Token: SeAuditPrivilege	12744	vssvc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

20164 LogonUI.exe

pid	process
20164	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1320 wrote to memory of 2268	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2268	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2040	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2604	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2604	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe
PID 1320 wrote to memory of 2184	1320	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Compressed (zipped) Folder.zip"
1⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9d053cb8,0x7fff9d053cc8,0x7fff9d053cd8
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
2⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
2⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
2⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
2⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4164 /prefetch:8
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
2⤵
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,18180488399427714134,9654627760715611759,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
2⤵
PID:4848

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:4904

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:20604

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:13012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:5184

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:20592

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:13352

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:1548

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:10764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:23004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9d053cb8,0x7fff9d053cc8,0x7fff9d053cd8
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:23020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:6672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9d053cb8,0x7fff9d053cc8,0x7fff9d053cd8
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:22284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12744

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cc5f059beb504a4ea0d4ad325a5ebe7a /t 3296 /p 1548
1⤵
PID:944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9868

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6b296130dcf84d3d92543f4c5a811e8c /t 10736 /p 10764
1⤵
PID:11236

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:18076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:13576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:14692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e6855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:20164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge.dll
Filesize
591KB

MD5
a86fa91bd7203aabbd3eb3ab41b938ad

SHA1
4125e1b260507a406bed4755310c0c2e1a9b481d

SHA256
bbb9312f42394e9912920ff6530318426edac99d7069afdb7ce3f97a01240a24

SHA512
948437e82355157feaa87ceca71e0b35bdb51c221acbef2796a6d1c8f90674512ff0fae835c3ae9da90331cc462b1aa818f4af135ca498819083ffd3ea4bab8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-49027615.[coronavirus@qq.com].ncov
Filesize
256KB

MD5
ec87a838931d4d5d2e94a04644788a55

SHA1
2e000fa7e85759c7f4c254d4d9c33ef481e459a7

SHA256
8a39d2abd3999ab73c34db2476849cddf303ce389b35826850f9a700589b4a90

SHA512
9dd0c30167fbeaf68dfbbad8e1af552a7a1fcae120b6e04f1b41fa76c76d5a78922ff828f5cffd8c02965cde57d63dcbfb4c479b3cb49c9d8107a7d5244e9d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
114B

MD5
ded04faaeff48b45f491f9af9fa08da6

SHA1
daa756b0fb7986cd95f01a24425210e8d4b6dbdf

SHA256
d79338890408af04a05d9077706b456de99c35e2bc4ebddda38f8c8d73cfb7c3

SHA512
fada4aab90cd4e87a9d8504668a9a3268e8c1157deecacaa9fba1ddae1e81641436bbd99618f4fdf88ce89248ed80ed29606f08c0f7ec4afb71d7f4ab4107cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
212B

MD5
a3b73cc9d9b45f5304be131da8a1e360

SHA1
5b74dba0a913dba32ccc4eb37ecc46bc3ee3cd47

SHA256
ce4b45745cf8abc0dd35126b0ffb20f418dd090955ad3850faf97940c97e2879

SHA512
92204ae4128ed818514374de665248236722885e2358b3ba88d7cce67edfca58b671c1267b361e1046494de76433f245c9b1bd0c15f2743f362923e6e0f8e4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0ae4d665-9388-41eb-b7c1-31653119b702.dmp
Filesize
3.5MB

MD5
95230a33f5716944020e8abfda424fa4

SHA1
58ce4450da6f787d37378d31f043f84a16c4a074

SHA256
e76b3f822a83071ee7286d8880d487e00fe52cc54e7afbc028b059381dc34b62

SHA512
fa50f5db04221e4165990cf2cddaaa91ba9f218df76ba09d5324b251c0bc57ff8b53e72ac1307b4c2480020c55e41634be970ade2e4f61462bae1d92c3e95030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\14b05bff-9981-46a8-b80e-1f365d6df44b.dmp
Filesize
768KB

MD5
4638934a99d715226e09e91b27f5c950

SHA1
c720c650d68ba498ad54bde1340c8904981aae9c

SHA256
0103fbc175996fca788eb5489fecb3feccad6d562a671fe9d20eaf5c61ee775e

SHA512
999347af3dac5b097756f02370c888ded037e8b1b9d3a9332d91a3e988e84d785e4d26d338dd275d2217a4bc4121d1ce2cf0040f14ea1a78cdaa96a84b50f162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c48e8b68231fb5b2d7f1188b930bc0e

SHA1
1822aef5da8fdd47626fb91afcf79a2be175a325

SHA256
c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944

SHA512
2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f2dc80f5403feb8461b7ffa09890d6a0

SHA1
d5b61e6d672e7e71571e0132e21cead181da8805

SHA256
eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a

SHA512
5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea0ca56fdcf4a0fb8e2bbce834968ed3

SHA1
4c09107ce4b4892e0daca4f59a6e83080c6788c3

SHA256
9e245565347eb2717db357673d516fe4b13779bff8d1ff4fee536f4f83a59858

SHA512
6829c90cba9f4031307f84b019d1e911954945da2721014a4ecf18d9370bf680ab49aa6029284a8c9817e12b8ef2c064361f74a7edfeaf1b5059d59efee4f0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fd8a675c2a244e06cb549b3a4dd8ae64

SHA1
927c1e5489144d60f3430b4f75fe43f3b2d9340e

SHA256
f44917d5c83e2f9aa32752428f975fbf1fd9fe378c7e95ebdcbd8d31e91d7673

SHA512
bbafe0821aac3c15e85ed59d4e6a2b60c7c9ad80c20eeaef3f4449d71852767f9b468dede5ff78c9ac1837db00bf70bd5c411ca3b133ab984a7a1a56c358a32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.8MB

MD5
4b8b3372f3e4a2c26ab01c7b794a7ded

SHA1
29e68fd32ba983a87d7df131239aa15b0e89ec6a

SHA256
c81fe01ad443b8c1eeaedd4578cb4c4e83a4401a0072fbea888d4487254c3c51

SHA512
a3edebc487a37207af93c6d2bf124ab290f09951a8c05356c5a25494741b3a5bff6ec16199c2187276ae4e2407feb62fa01cf966442e53536ccd1989500545a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
47d77e2edf189dcde58f10fe2ad997e7

SHA1
8e5e97b861b1d06ffeae6431ee82513073cab9f5

SHA256
cace8c236ad65f45bb752f5227b52d3aa5b03b0a84b8111b6381f48379254166

SHA512
567aa4e8d30a3fb59e2f8d0ae15ac975c3104cd8cf5009d28f7fd5745ae766434f8197ff7c40a9849ac3b071316e766406638b0c582afbed66ca9c49deab63c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
4f6867ca05cc7c93eec4dd7451473bec

SHA1
c3eee65808a579d9878302493bab01b98fa2ba17

SHA256
4018047d745f63960c4c7e9a6ebc0b896d020e4a710fddf616110efa2034eb89

SHA512
9ff80e45cf7d5ef434bfc1fb353661110459d1647f59bce5fbb07f062e2e6392e1a2a6aac0f85593ce5af266d03037103c334448b0c92252963bb88a02591eea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
703B

MD5
6127032e136eeefe0eb360ce27b7863a

SHA1
da489ff5b9daddb0dc755c2bb52630ce751cfe56

SHA256
bbec9af2cefed919c54a8daff577833d21d58aea8c68be9106ff9fb8550f28a5

SHA512
a98cda4e383aa7fa668e2160be40378f1e79696c981a8b45aae166f3819bf184cf99062ab63702c9f115fc2349e8271d97942199fe8959ed9db0a369ece486fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ab5d9a44f46596f6f4d1ca681093fa66

SHA1
a250faa624c2fbde08f5e412dd9661f955321be8

SHA256
18596ab30bc4170ceefa9a2d50c8100bf243b29854b146c86f09d9faa60906f4

SHA512
4c356921966ff50eead106096b4f8d2e95d33a9506886a06f7983c0101880742b8056501d6b98e9b0a72072f515dfeccf5e16180f151de8f3397129f2aba242b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
05e20f215a79a05dc6f6038d493c33b5

SHA1
5da19d9cd3e9af050d7589a0464d4fbe33f965db

SHA256
d3a87342cd57e5ecc7d06ce4a25f70dc2a4471ceaca35caa977c58b04aff3136

SHA512
c8cef2647d98afcdf6941661f4c43e8626d9653cf2428537b0042b9e356165cf02eb5732ca72aa59bd5f36ff0cdf814ad7e36ba2ea77769dbbce436e0dbf5d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
25a941a50c3e21ea4e105324b11f9c68

SHA1
c145d10f0706976fd35a23e69c3759ffc3c74cf0

SHA256
0a85c53419c2be88cc27f589f15584ca995325ca52020beb4d100d30a92a430f

SHA512
a4958f8d3d68c5e39a5cd54b90fddf87bf675070140417024e46a09407b052eb559a3127d577689e5d794cf55aafe1a4e1c3875d2b98c0ef298a54915cca616b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
35f0f32395be152a9960af9001e1703e

SHA1
52049c2b106f37faf8247e24f0fb420caffb5a1c

SHA256
0f8d287b0937cd8d365d4505640336b13e5591a736a11f28ec9f1f058bad179e

SHA512
af5bf59aa0f0483e50e07ed89cd7303fdac7c65a82729e9ebbb7ce3b857c26bc222ff131b655a513e1ba2769249f73771ad5800409a03c9d6e2191eefefbbe16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0dc0d8421cb1cde6ee90d3cf3f63a0bb

SHA1
1c6184a5b122786c7a356e82000dab6b01799f13

SHA256
e1e161a560ed48c09f5fbd61f93ba2f03db3348beea32ceaab65032a03fc27ff

SHA512
a5ec3f4c20684c4c277161def4bb2ee62b93a4f5578677abb566bbed8b9855b70577666a657b3b22635e1e31470d3276058f5e6d988851d781a215aea3896703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
afe3ca0793ac71e28f9ab493b975052e

SHA1
ce5d05e4c8113570599492e60fce76ebd35df2ba

SHA256
9880d0246cab178aaf6cd0c0caf02a1e9023ed6627804a8566ea28b65eedb163

SHA512
3ad0351a9699caf6272eef717fd5acb52c161f3bbeede8a352734711837937cb599f72a27627c8f6c52fcba873f178236f3c0db855c4c70820958948b83b7473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
be161d6ab280ae349f29122b596f34a4

SHA1
758bf57dbe8931bf05edd973701a50c9c8da3dbd

SHA256
48fc804aece084ded3a23e2d1cdb48705763f52e742d4c38d38a1da8d18ae0e2

SHA512
fadc2a95ee90b656216f32e5a87480fbb84e7c99d63c596a8d7319ae2497ad9521527a4d9e9e318dcbdd18a7c2d1ae4ae3ce672d2ad190eae7a438f667278c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
704B

MD5
77843ba81dde8b82342fa9a0bc56ff00

SHA1
a79e02cc6a3a3fefbf0a7aca0d21ee43747e8769

SHA256
2a98533fc4237db9a15fa3ccfb20f5ac750b90d9d22da3d5df6951c7232b370b

SHA512
9a27e716fe9c593d8a941b4649915fcdcc7cd5087a28b50b9e8d0e50b2d84cba74b272c60a0fa92e07a7cad408aee20df3b4762c227871fc9276ba5feadbe897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bd06306322018d34ff1cc47e31b9b2d2

SHA1
b03dcbf3b17953b503f0776ee6e3f4a447bf57c2

SHA256
fa48174c79106680e4f6e81e25d8535071f9ddd8aa346485d13d34f4099adc0d

SHA512
aebbc173eb09e80b7478084fd630815e1bf807ce2843b1c1e78eb34d0e9f73b01464b4910d16993691200e37e3f5566e434710302a27f877eaf5fdbef3cbc09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a482b9451b7d0eecd87502d6bf3c0b45

SHA1
09e574ea8ff040a8189994a5d26617f30026bef6

SHA256
abc3da98f65ad7dd6ed666a10b952f15a6d3dc94c307770b134d766a4cfc7d30

SHA512
4c1dea5d7bdfa80bcbf7b6e0add07c8b0139cafd44afd4162af9180ed1ceea39486201676fb2a2b636c5223a9bd228a92cb46c7467dcd5ca1e40b38f77ec52fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
87f8af4139be2a09b061bfd34c2d0585

SHA1
87189d730c073b0ad6344a606e737eda05ae195c

SHA256
70a07a514df3c89371fcbc322cf3d767fa9e4949f1d7d2ec4b962775786741c0

SHA512
34f03c0bfd4e828f4bfd529d6e2560f0b90ec3552cd8ea413489190a684456bc1731d970410870ef81af88379f04179d6fb33bda99058d375645ad76d1dedfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
58fcc8d8aeb9b2d2dc0043c177bd5704

SHA1
beffb16e4193528de9a0ca665449abd03843dcef

SHA256
881834475c6e3215fa7f9e7e18cdc24f54fa615c3e6d3ca782dc10f4d164f3dd

SHA512
d4f949be883a03435351703d796077e33485fa347aace98de28c21cf7ab4937bda40e60bc95b505329aaaaf05a534b67029bf57b3a8efaee894487f8a84825bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5938e8.TMP
Filesize
201B

MD5
9d2c782c64c974e58b3d4a23b3508afa

SHA1
9bee5c55b2302c92c0083ec788c982eebd6853ae

SHA256
b86cbe618d49aba35f618e069e795a21882383ea7356bcc3906a04bdd1711297

SHA512
f0eab8308d6c78f58d06952b98b3448576e5558eb8051dffe39a345574699da22302e24b5cec99f8038472613f3eb771edcd40f8d144924ef00dfcc7ebaee27e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
7fb972f4130d511692489977a61676af

SHA1
fd7b2ce6c5e125d5b0b682479ee189412845258b

SHA256
bed71840aa3bef8c1b702b1c062f80e41c8a7c358c732406efd601661195376d

SHA512
2c69d341361c52e4f5de5dcc5f0df0f21d97ec7e7231b4586b66fab1944f9f2e4de2756fe5bb96ce19fa3671b0534d17e36c9d59a9932d2e056983bdf9909dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
95be2247c5d856c128f5ea67435b6517

SHA1
62eb9c39d3dc88084289a0af8e9b60fc157e873f

SHA256
b98f18102993ce53e3ccdab632ad790d13ec24e0741ec1d750a221ed563b3a0c

SHA512
0720794188b2e7e21cc44b4dd57f994b685664d0252993ac42d5cb62b29a63e0c463e1f0f95a29fad23d8e1def0a28183e0f4b3b171430d8ab91a3e80dc11937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c21e6533889579a5ed0fcbd349669041

SHA1
c65bcba24082db1f3d27a99cebd3437b127edd1d

SHA256
5d2163d66e01a97603e0cd375b233cee5a07d84c573290ee4db85debbce5775e

SHA512
29c0ed0603f8e148543bd40dbcfd4400b5fc3831396f04a1fd090e475672c61d4f52df1735015fa21212b0d7a2f1e79b3842a07bf704d8d139cefb6412b48614

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe
Filesize
128KB

MD5
3317b9ea73e1b006b131397118c9c1d4

SHA1
827c78ad8a2c0570b7f886e59d89c9ce5039f90b

SHA256
4842c370eb1ea74f74eefe624bee20c4ff99fdd1b21982d5166a736b154fdea9

SHA512
f02c659b10cf0fb05e3b44b395c337566cc9c930c9274f98ade2ce552897fbf4cccfa8a482ea383753e1c6aa5adc10f3e773844f04ec103690eb07a271a8d7d0

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 887257.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\LOCAL\crashpad_1320_SVCNQPPZUJQICWTE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/468-24530-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/468-24527-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/468-24526-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-559-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-24522-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/1308-558-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/1308-6672-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-418-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/18076-24532-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/18076-24533-0x000000000A560000-0x000000000A594000-memory.dmp

Filesize
208KB

Download
memory/18076-24534-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/18076-24536-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads