Analysis
-
max time kernel
946s -
max time network
925s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
CoronaVirus2.0remasterd.exe
Resource
win10v2004-20240226-en
General
-
Target
CoronaVirus2.0remasterd.exe
-
Size
1.0MB
-
MD5
055d1462f66a350d9886542d4d79bc2b
-
SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565
-
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
-
SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
SSDEEP
24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
coronavirus@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus2.0remasterd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation CoronaVirus2.0remasterd.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus2.0remasterd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus2.0remasterd.exe CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus2.0remasterd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus2.0remasterd.exe -
Executes dropped EXE 1 IoCs
Processes:
dismhost.exepid process 20320 dismhost.exe -
Loads dropped DLL 5 IoCs
Processes:
dismhost.exepid process 20320 dismhost.exe 20320 dismhost.exe 20320 dismhost.exe 20320 dismhost.exe 20320 dismhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus2.0remasterd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus2.0remasterd.exe = "C:\\Windows\\System32\\CoronaVirus2.0remasterd.exe" CoronaVirus2.0remasterd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus2.0remasterd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus2.0remasterd.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus2.0remasterd.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus2.0remasterd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exevds.exedescription ioc process File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\E: vds.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
vds.exedescription ioc process File opened for modification \??\PhysicalDrive0 vds.exe -
Drops file in System32 directory 15 IoCs
Processes:
CoronaVirus2.0remasterd.exesvchost.exemmc.exedescription ioc process File created C:\Windows\System32\Info.hta CoronaVirus2.0remasterd.exe File created C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\User\Registry.pol svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2B97E.tmp svchost.exe File opened for modification C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\gpt.ini svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2B91F.tmp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2B9AF.tmp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2BA4D.tmp svchost.exe File created C:\Windows\System32\CoronaVirus2.0remasterd.exe CoronaVirus2.0remasterd.exe File opened for modification C:\Windows\System32\diskmgmt.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\GPT.INI svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2BA0E.tmp svchost.exe File opened for modification C:\Windows\System32\GroupPolicyUsers svchost.exe File opened for modification C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001 svchost.exe File opened for modification C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\User\Registry.pol svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\CM2B98F.tmp svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus2.0remasterd.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-lightunplated.png CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Extensions.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Controls.Ribbon.resources.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-150.png CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Mozilla Firefox\update-settings.ini CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125_contrast-high.png CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Principal.Windows.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tt.pak.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationCore.resources.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\msedgeupdateres_sv.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.dll CoronaVirus2.0remasterd.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-1-0.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\fxplugins.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo CoronaVirus2.0remasterd.exe File created C:\Program Files\7-Zip\Lang\ug.txt.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-125.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_rotate.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlOuterCircleHover.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\selector.js CoronaVirus2.0remasterd.exe File created C:\Program Files\Microsoft Office\root\vfs\System\msvcp100.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-200.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ComponentModel.Annotations.dll CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationTypes.resources.dll CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon@4x.png CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nl.pak.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.resources.dll.id-8D56F154.[coronavirus@qq.com].ncov CoronaVirus2.0remasterd.exe -
Drops file in Windows directory 3 IoCs
Processes:
SystemSettingsAdminFlows.exedismhost.exevds.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log SystemSettingsAdminFlows.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\INF\setupapi.dev.log vds.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 25 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d9108691e00000000000000000000000000000000000000000000000000000000000000000000000000000000007e00000000000000820f0000000000ffffffff00000000420001003f000000486acc2d00000000007e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000010ed3f000000ffffffff000000004200010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e0ff3f0000000000100000000000ffffffff000000004200010000f0ff1f486acc2d000000000000e0ff3f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2daf282a3c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000010ed3f000000ffffffff000000000700010000680900486acc2d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d960d695e00000000000000000000000000000000000000000000000000000000000000000000000000000000007e00000000000000820f0000000000ffffffff00000000420001003f000000486acc2d00000000007e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000090e235000000ffffffff000000004200010000680900486acc2d000000000000d01200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060f5350000000000900a0a000000ffffffff000000004200010000b0fa1a486acc2d00000000000060f53500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d2f2b2a340000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vds.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 37824 vssadmin.exe 19760 vssadmin.exe -
Processes:
wwahost.exewwahost.exewwahost.exewwahost.exewwahost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exeLogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun = "1" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Associations svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes = ".pdf;.epub" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1806 = "3" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1806 = "3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1806 = "3" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Microsoft\Windows\CurrentVersion svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1806 = "3" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Associations svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\DefaultFileTypeRisk = "6150" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Microsoft\Windows\CurrentVersion\Policies svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\DefaultFileTypeRisk = "6150" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1806 = "3" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1806 = "3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1806 = "3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4990111C-DB62-4413-AAA6-AA80E8E6B7C0}User\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{968D008B-256B-479F-9061-B6B0F377D9BB}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer svchost.exe -
Modifies registry class 55 IoCs
Processes:
wwahost.exewwahost.exewwahost.exeexplorer.exeOpenWith.exewwahost.exeexplorer.exeOpenWith.exewwahost.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheLimit = "1" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheLimit = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperienceho = "0" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "1" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage wwahost.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix wwahost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 21324 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CoronaVirus2.0remasterd.exepid process 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe 5044 CoronaVirus2.0remasterd.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exeOpenWith.exemmc.exepid process 22108 OpenWith.exe 21632 OpenWith.exe 6752 mmc.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 24712 24796 24920 24960 24980 25060 25072 25108 25180 25204 25236 25264 25284 25296 25328 25320 25344 25380 25384 25396 25400 25420 25448 25484 25500 25528 25588 25572 25556 25640 25632 25692 25708 25728 25740 25756 25772 25776 25808 25828 25824 25864 25876 25908 25936 25964 25988 26020 26036 26040 26056 26088 26092 26108 26144 26136 26180 26160 26224 26248 26212 26264 26236 26288 -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
vssvc.exeunregmp2.exemmc.exewwahost.exeSystemSettingsAdminFlows.exedescription pid process Token: SeBackupPrivilege 23156 vssvc.exe Token: SeRestorePrivilege 23156 vssvc.exe Token: SeAuditPrivilege 23156 vssvc.exe Token: SeShutdownPrivilege 19452 unregmp2.exe Token: SeCreatePagefilePrivilege 19452 unregmp2.exe Token: 33 6752 mmc.exe Token: SeIncBasePriorityPrivilege 6752 mmc.exe Token: 33 6752 mmc.exe Token: SeIncBasePriorityPrivilege 6752 mmc.exe Token: SeDebugPrivilege 20340 wwahost.exe Token: SeDebugPrivilege 20340 wwahost.exe Token: SeDebugPrivilege 20340 wwahost.exe Token: SeBackupPrivilege 21128 SystemSettingsAdminFlows.exe Token: SeRestorePrivilege 21128 SystemSettingsAdminFlows.exe -
Suspicious use of SetWindowsHookEx 53 IoCs
Processes:
OpenWith.exeOpenWith.exemmc.exeSystemSettingsAdminFlows.exewwahost.exewwahost.exewwahost.exewwahost.exewwahost.exeLogonUI.exepid process 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 22108 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 21632 OpenWith.exe 6752 mmc.exe 6752 mmc.exe 6752 mmc.exe 10956 SystemSettingsAdminFlows.exe 20340 wwahost.exe 6752 mmc.exe 8440 wwahost.exe 19460 wwahost.exe 17556 wwahost.exe 18312 wwahost.exe 24740 LogonUI.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
CoronaVirus2.0remasterd.execmd.execmd.exeOpenWith.exewmplayer.exeunregmp2.exeSystemSettingsAdminFlows.exedescription pid process target process PID 5044 wrote to memory of 968 5044 CoronaVirus2.0remasterd.exe cmd.exe PID 5044 wrote to memory of 968 5044 CoronaVirus2.0remasterd.exe cmd.exe PID 968 wrote to memory of 13276 968 cmd.exe mode.com PID 968 wrote to memory of 13276 968 cmd.exe mode.com PID 968 wrote to memory of 37824 968 cmd.exe vssadmin.exe PID 968 wrote to memory of 37824 968 cmd.exe vssadmin.exe PID 5044 wrote to memory of 9992 5044 CoronaVirus2.0remasterd.exe cmd.exe PID 5044 wrote to memory of 9992 5044 CoronaVirus2.0remasterd.exe cmd.exe PID 9992 wrote to memory of 7844 9992 cmd.exe mode.com PID 9992 wrote to memory of 7844 9992 cmd.exe mode.com PID 5044 wrote to memory of 17104 5044 CoronaVirus2.0remasterd.exe mshta.exe PID 5044 wrote to memory of 17104 5044 CoronaVirus2.0remasterd.exe mshta.exe PID 5044 wrote to memory of 20184 5044 CoronaVirus2.0remasterd.exe mshta.exe PID 5044 wrote to memory of 20184 5044 CoronaVirus2.0remasterd.exe mshta.exe PID 9992 wrote to memory of 19760 9992 cmd.exe vssadmin.exe PID 9992 wrote to memory of 19760 9992 cmd.exe vssadmin.exe PID 21632 wrote to memory of 21324 21632 OpenWith.exe NOTEPAD.EXE PID 21632 wrote to memory of 21324 21632 OpenWith.exe NOTEPAD.EXE PID 19812 wrote to memory of 19660 19812 wmplayer.exe setup_wm.exe PID 19812 wrote to memory of 19660 19812 wmplayer.exe setup_wm.exe PID 19812 wrote to memory of 19660 19812 wmplayer.exe setup_wm.exe PID 19812 wrote to memory of 19596 19812 wmplayer.exe unregmp2.exe PID 19812 wrote to memory of 19596 19812 wmplayer.exe unregmp2.exe PID 19812 wrote to memory of 19596 19812 wmplayer.exe unregmp2.exe PID 19596 wrote to memory of 19452 19596 unregmp2.exe unregmp2.exe PID 19596 wrote to memory of 19452 19596 unregmp2.exe unregmp2.exe PID 21128 wrote to memory of 20320 21128 SystemSettingsAdminFlows.exe dismhost.exe PID 21128 wrote to memory of 20320 21128 SystemSettingsAdminFlows.exe dismhost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CoronaVirus2.0remasterd.exe"C:\Users\Admin\AppData\Local\Temp\CoronaVirus2.0remasterd.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7ff30de2da3a4fb689a997de2d78d256 /t 20156 /p 201841⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RepairExit.htm2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\2f2b9e9519cc400e874584154eb394b8 /t 17088 /p 171041⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\diskmgmt.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RetailDemoConfirm1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
- Modifies registry class
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" AssignedAccessAdminHelper1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\dismhost.exeC:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\dismhost.exe {A2D495F7-9FAF-47D2-82BD-465B8C300D09}2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s dmwappushservice1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa38a3855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-8D56F154.[coronavirus@qq.com].ncovFilesize
2.9MB
MD5b9bb4a9ee67a65d7a3553b0b3589f549
SHA1417e720a3c409d29735788ce9f76abc844899516
SHA25696419605a8fd12572e0d936ea1e9533b71d49934566be0d8def13eea130c2040
SHA512b9bc97f12c7cfc9e120dc6ba369b1d2ca967616d8d9a31decdf548c019441b950da748bc086c2a9ffe45cf300fb79cbdbe22d14153ffb06831bb3f060e0907b3
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
64KB
MD5c374c25875887db7d072033f817b6ce1
SHA13a6d10268f30e42f973dadf044dba7497e05cdaf
SHA25605d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6
SHA5126a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binFilesize
413KB
MD52350b47261040b1ee32f7df427ab30fc
SHA1e656cced405e01b6a60b7444b2c9e1b31ed7c63a
SHA256612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db
SHA512a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.id-8D56F154.[coronavirus@qq.com].ncovFilesize
414KB
MD57d3c8bdac1036a19edacba602bdb6bc4
SHA180b80762b1e1ba72776ee02c8f92c50b8e236de5
SHA2561f554d2aa667eb998fe2aedd27b96216ef52106ba6fb3655ee9990acfa908723
SHA5120ece29854edc313aedcb33418eaec0cf659f760b0c06d4337b23b57936e1ea2b2d31886d2ad9ea54ac9393108e300518a5cdb5685d3a3a6e00de076aafe52caa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MIZIPTM0\microsoft.windows[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismProv.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
666B
MD5336e062f07132c52c0330fd802de0ad7
SHA12d428483a79d4081c9c4e3fb169809f344c87696
SHA256f2659c8ba67fca055b5159315f1ad62c2844fb80cdafa935b7ec27a44e6123a9
SHA5122591d2e12c4f8af2599f619b29ffd8b21ac1d6fa1ff5170396b7cf7aeca7f6b53546aaecabaae46279b7e42880f4e98c254eb51b15bb5de994020f27feed795f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD56bb489d6fcec031304a28dfca0aa6fa0
SHA106c8f23ac4bf0fd1c848c5cb7f09167b5dd92021
SHA2566b95e2f3b3488b2a71407523de908fefa7796e38af73f22e3db201c3353200d7
SHA5129d0585d1e15a25ed367dffcdff39e5bb9994e5a98c467aed1ed102bd9b2f113e1a15d4003cccfc19fe8911368e27d67d296fa376fa99e7cffff7ef74cd474b5e
-
C:\Users\Admin\Desktop\CheckpointPing.reg.id-8D56F154.[coronavirus@qq.com].ncovFilesize
669KB
MD5b5f74cf2c1269a292dbdc7d32f7092c8
SHA103cc725c2cb23df3218f5b4592f5dff0d19d719f
SHA25629c03b0c9aa4c76c6e2307ae9ee9f75d9a02173b876b01b1d5560bc14bce199e
SHA51285b3bf230f20dd34f1fe766ab248952e93bca1364a180fcdbe094b16a11fb55bbb417421ec8aa7921dcb4bbf344d834dcf9b3e8e8530f621e69303da0e0df9b8
-
C:\Users\Admin\Downloads\RepairExit.htmFilesize
474KB
MD5b9c756bbc8085977ba257e6cb86044e3
SHA1f3311b48730e9ddbddcbb7a2292cb9ed5b0aa5b7
SHA256f4dfadb3ac531eff30579ecee3e71ad3acbcd559eb474eca8a30b6fdde32022d
SHA5129a4cff4e4af56afeed615088dbd72cd877a562a9100b833697ea0bbf6823566f0bf82a372470078a68d9ab11bb95d206423e2877f6120edf7020e0afb2f7089d
-
C:\Windows\Logs\DISM\dism.logFilesize
233KB
MD53652a26b3071678db07e1844ee4c3158
SHA14245d94c6951f98a88ac8329afbec9ec979b834c
SHA256c3635a02d33d039d31cb10c896fa3a4025e9b53cd3a642e39d04697ff8a8b81e
SHA5129f656278b86407845cdd719622defefd7a572781d36286a9142428f05910e58a5d7f0bca85eba67febc5f54de0234df9e34669e23bc94719cb9ad827b16e93bd
-
C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\gpt.iniFilesize
156B
MD524065ee5988fb7a34224fcd2e9eb6028
SHA1c6f13a094a33e8655db14b96daf2247e3d4c6017
SHA2568862b85c1ed9dbae806ab05ac6066efcedbf49098745796339eab3fae7ebfa1d
SHA512e48c2d396bef5ef779f0ecc995f051313bf1374e56da8ecb381d5358786d78a4d476c573a322ec54067655d9fa69b469195949fa0300d74563c95034d95574ae
-
memory/5044-0-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5044-23794-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/5044-14216-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5044-2-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5044-1-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB