Analysis
-
max time kernel
107s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 21:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe -
Executes dropped EXE 1 IoCs
Processes:
CoronaVirus.exepid process 5632 CoronaVirus.exe -
Loads dropped DLL 1 IoCs
Processes:
msedge.exepid process 12332 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 84 raw.githubusercontent.com 86 raw.githubusercontent.com 87 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-300.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\platform_format.lua CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ga.pak CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XmlDocument.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\UIAutomationProvider.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Primitives.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF CoronaVirus.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_el.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_es.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-125_contrast-black.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_selected_18.svg.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\plugin.jar.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\lcms.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@2x.png CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\PresentationUI.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_Resources\0.rsrc CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationTypes.resources.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_en-GB.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.id-7FE5DFD1.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 26048 vssadmin.exe 15120 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 502462.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeCoronaVirus.exepid process 3932 msedge.exe 3932 msedge.exe 1576 msedge.exe 1576 msedge.exe 2376 identity_helper.exe 2376 identity_helper.exe 5356 msedge.exe 5356 msedge.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe 5632 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 14944 vssvc.exe Token: SeRestorePrivilege 14944 vssvc.exe Token: SeAuditPrivilege 14944 vssvc.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
msedge.exepid process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe 1576 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 19544 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1576 wrote to memory of 2236 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 2236 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 1116 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 3932 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 3932 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe PID 1576 wrote to memory of 384 1576 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1af46f8,0x7ffee1af4708,0x7ffee1af47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:12⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2589301011984099321,5230449007278066087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c7dd014207164ab2a7d6400acfd4973b /t 15000 /p 149761⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\735f50ff841749b3a18c8d22f5ee7adc /t 15028 /p 150201⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa391a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-7FE5DFD1.[coronavirus@qq.com].ncovFilesize
256KB
MD5ec87a838931d4d5d2e94a04644788a55
SHA12e000fa7e85759c7f4c254d4d9c33ef481e459a7
SHA2568a39d2abd3999ab73c34db2476849cddf303ce389b35826850f9a700589b4a90
SHA5129dd0c30167fbeaf68dfbbad8e1af552a7a1fcae120b6e04f1b41fa76c76d5a78922ff828f5cffd8c02965cde57d63dcbfb4c479b3cb49c9d8107a7d5244e9d03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5362ffb214354cf47f8e63b7732234365
SHA188c28a9921e38579c09b9938a880ce9dd00a8487
SHA2569486bceb26df8f866279668ed5623a6a51459ee0acc42d63ad524b160ba4a82a
SHA512544c13869bbd675d1ae273b011198c7d11cbe165a61919bdd2fdeb55efb6e23cfee3f9ec34d6631718d5c267d64b32ee635ffaec7ccceca8b42fe634b3cb7241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b9aa7fdbfc1748c119faa8b2bbe818f3
SHA1aa237af1b5e0495f377f3061cd17c82e33d021d1
SHA2565bc54b1918740c27ec8824ff185625401e215da15b63998afc9d9929d97cb44c
SHA5124c784865d9c46128560ee5aad9670454b5896feaf890af590c7d94852cc7809bd5b95309aa48b15cdf5581a25b62ffab7fe4849b961b39d3210f720bab3937ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD543e5b61772a4e21d721ab7450cac162e
SHA195b94af1c0428136191c0a50f4553a43ebff9c5c
SHA2567e09147ac2b571329311826a6942bef640c0f672ba4214420cb2459ae72cf9b7
SHA5129a306bead02d34a06435126869913b68d1f1f6dfbb814f52eac921aea1277b1c0d0e13b7a6f4a729dac97b6683580cf2f343e95b3aa9a2788e0f1327b13ed91a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ea18017fdba4ee986193fed56849416
SHA12ceaf4b042f03342c23ef3478ef6aac9174b0963
SHA25639ede90e1c1342915fe54a54d3ca9ee476d2daa6aca1e8dd2e1736059a2ea5b6
SHA5128162b0ac661e3dec4cc41bc506fbbbef75cfe3f9616b31e24404daafef289ae02b068385b3df1265686857a5ceab4da2fbbae51cfc1d64187353e4c58fb7558f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57936f71c06346b0f1164913173e2b7a1
SHA10b90a176c0ecebcaba48285cdb80786cde07b12c
SHA2567c46ec984defd14026939b72a15e96af42a36e28e918dbb18c58f865e7cbac3f
SHA512addb0660f121737c6e2203ad4b9f7920a583e4b637dfaf4ad5bfd35b48227d1ae1d12e8bbb616d23be14a66015b353658f6e8d8a03351c69ce25948a7b13bac7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e143c01849e3ec2f1f8a1f33cd550c1c
SHA19625f1a3c7e9ba2c5459bd866725683075c75841
SHA25639de1fa95c37ef41ebfacc995704a08cb7a4affef7ac0289364d1d7e5b9d9b75
SHA51246dc489445bcbccec55b6793874b4fddd9ca95283269b2559c65570f9bed4d67fc1dab887f7c8b1fa0b968e7911962f2f68665d708bbcf8465f687d753327506
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51c7412a44eeb9ae6a1958224a650ab19
SHA1f75d46ec6c2d855999fcb571acceb54804b7d4be
SHA256927b0e7318347c0693c610e0119778ba8cd10916fc50d79978e087c9d4374a69
SHA512e58989f34ff7c12176a2ccdfb17c15770ba94d81dd747cc4416974092d1eb0ddf530435c931bcda21d24dba8161879de15b8875078456d43c0274573449a4ab5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579385.TMPFilesize
874B
MD50a772bff6fa2ad17ede5ddc2de07ca86
SHA1fd01e1df3563c464db010fa5c92eb38cb2a60132
SHA25683d86e9d187920336c9a623fd33a699a4d5e6da5a6f36b9be006825b6379a099
SHA5120835b01abc5b07a353bd9c2041fb01b08b1f82a8026f90647bf988f81b6049201f9182cc02a4b0d5dab6d71246250c87364e8d84adf6e980fd8e97003f2df435
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD527bc05b82dc56448694367002429ca69
SHA18a503e7ac94c23286e68acfd233b28721bd53add
SHA256026a5342432820ee107a1752380c69ea4b35aa2898c394d6be66867fb935aae1
SHA5126fb27fd5fd03c0e2a8ff498fc8214f00a76dae0dec4a7b2cacb7aea43694732c1251a602403eccaf89eefb22bc826ae6de0193e07f63482965d0621feffa718b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD598200b63de6b8fae9b4d48d006b2464e
SHA1c837532afe22825c41055031744c4c6ddae0beef
SHA256b17c18e44c220c097384b832baa461992ad9cab4e972fcecc38dc5656e1a3fdc
SHA512fe82224b77735dbf7f7134f9dec22001c881896bf366d6f4dd0e84357f657ffb1685b33c34a2de2acbd14ef5602b07647b0e1c55bb0c9f8756de8bedabd04a59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD539db3d241f16302bf79aa19f4d7bb736
SHA1d191fd0ac1f0837a257287403603f51149b7a93d
SHA256ee082e561cb9aeabe3d09cd6be140c5ca736066b907eccc0173e2c5273192ac6
SHA51238a5aa749294722dce881295942654bbf1755d60c3a1c873d73b3a9be7b14dadbbd654d3b2c170406a60a5cce17199fcf7e9065ec45f2f27fb181987eb6124ff
-
C:\Users\Admin\Downloads\Unconfirmed 502462.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
\??\pipe\LOCAL\crashpad_1576_HNFJFLFSFPJACPKQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5632-215-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5632-214-0x000000000ADB0000-0x000000000ADE4000-memory.dmpFilesize
208KB
-
memory/5632-186-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5632-24228-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5632-24247-0x000000000ADB0000-0x000000000ADE4000-memory.dmpFilesize
208KB