Overview

overview

10

Static

static

3

CoronaViru...rd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    946s
  • max time network
    925s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CoronaVirus2.0remasterd.exe

  • Size

    1.0MB

  • MD5

    055d1462f66a350d9886542d4d79bc2b

  • SHA1

    f1086d2f667d807dbb1aa362a7a809ea119f2565

  • SHA256

    dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

  • SHA512

    2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

  • SSDEEP

    24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score
10/10
dharmabootkitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message 8D56F154 In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

coronavirus@qq.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (496) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 55 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 53 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\CoronaVirus2.0remasterd.exe
    "C:\Users\Admin\AppData\Local\Temp\CoronaVirus2.0remasterd.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:13276
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:37824
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:9992
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:7844
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:19760
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:17104
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:20184
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:23156
          • C:\Windows\system32\werfault.exe
            werfault.exe /h /shared Global\7ff30de2da3a4fb689a997de2d78d256 /t 20156 /p 20184
            1⤵
              PID:13680
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              1⤵
              • Modifies registry class
              PID:22856
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:22376
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:22108
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:21632
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RepairExit.htm
                  2⤵
                  • Opens file in notepad (likely ransom note)
                  PID:21324
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:19812
                • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
                  2⤵
                    PID:19660
                  • C:\Windows\SysWOW64\unregmp2.exe
                    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:19596
                    • C:\Windows\system32\unregmp2.exe
                      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                      3⤵
                      • Enumerates connected drives
                      • Suspicious use of AdjustPrivilegeToken
                      PID:19452
                • C:\Windows\system32\werfault.exe
                  werfault.exe /h /shared Global\2f2b9e9519cc400e874584154eb394b8 /t 17088 /p 17104
                  1⤵
                    PID:17804
                  • C:\Windows\system32\mmc.exe
                    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\diskmgmt.msc"
                    1⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:6752
                  • C:\Windows\System32\vdsldr.exe
                    C:\Windows\System32\vdsldr.exe -Embedding
                    1⤵
                      PID:6936
                    • C:\Windows\System32\vds.exe
                      C:\Windows\System32\vds.exe
                      1⤵
                      • Enumerates connected drives
                      • Writes to the Master Boot Record (MBR)
                      • Drops file in Windows directory
                      • Checks SCSI registry key(s)
                      PID:7104
                    • C:\Windows\system32\SystemSettingsAdminFlows.exe
                      "C:\Windows\system32\SystemSettingsAdminFlows.exe" RetailDemoConfirm
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:10956
                    • C:\Windows\system32\wwahost.exe
                      "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:20340
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      1⤵
                      • Modifies registry class
                      PID:16164
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      1⤵
                      • Modifies registry class
                      PID:5416
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
                      1⤵
                        PID:6424
                      • C:\Windows\system32\wwahost.exe
                        "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:8440
                      • C:\Windows\system32\wwahost.exe
                        "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:19460
                      • C:\Windows\system32\wwahost.exe
                        "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:17556
                      • C:\Windows\system32\wwahost.exe
                        "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:18312
                      • C:\Windows\system32\SystemSettingsAdminFlows.exe
                        "C:\Windows\system32\SystemSettingsAdminFlows.exe" AssignedAccessAdminHelper
                        1⤵
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:21128
                        • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\dismhost.exe
                          C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\dismhost.exe {A2D495F7-9FAF-47D2-82BD-465B8C300D09}
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in Windows directory
                          PID:20320
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc
                        1⤵
                          PID:2968
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k AssignedAccessManagerSvc -s AssignedAccessManagerSvc
                          1⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3324
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s dmwappushservice
                          1⤵
                            PID:7720
                          • C:\Windows\system32\LogonUI.exe
                            "LogonUI.exe" /flags:0x0 /state0:0xa38a3855 /state1:0x41c64e6d
                            1⤵
                            • Modifies data under HKEY_USERS
                            • Suspicious use of SetWindowsHookEx
                            PID:24740

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Defense Evasion

                          Indicator Removal

                          2
                          T1070

                          File Deletion

                          2
                          T1070.004

                          Modify Registry

                          2
                          T1112

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Credential Access

                          Unsecured Credentials

                          1
                          T1552

                          Credentials In Files

                          1
                          T1552.001

                          Discovery

                          Query Registry

                          3
                          T1012

                          System Information Discovery

                          4
                          T1082

                          Peripheral Device Discovery

                          2
                          T1120

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Inhibit System Recovery

                          2
                          T1490

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-8D56F154.[coronavirus@qq.com].ncov
                            Filesize

                            2.9MB

                            MD5

                            b9bb4a9ee67a65d7a3553b0b3589f549

                            SHA1

                            417e720a3c409d29735788ce9f76abc844899516

                            SHA256

                            96419605a8fd12572e0d936ea1e9533b71d49934566be0d8def13eea130c2040

                            SHA512

                            b9bc97f12c7cfc9e120dc6ba369b1d2ca967616d8d9a31decdf548c019441b950da748bc086c2a9ffe45cf300fb79cbdbe22d14153ffb06831bb3f060e0907b3

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                            Filesize

                            64KB

                            MD5

                            c374c25875887db7d072033f817b6ce1

                            SHA1

                            3a6d10268f30e42f973dadf044dba7497e05cdaf

                            SHA256

                            05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

                            SHA512

                            6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                            Filesize

                            9KB

                            MD5

                            7050d5ae8acfbe560fa11073fef8185d

                            SHA1

                            5bc38e77ff06785fe0aec5a345c4ccd15752560e

                            SHA256

                            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                            SHA512

                            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
                            Filesize

                            413KB

                            MD5

                            2350b47261040b1ee32f7df427ab30fc

                            SHA1

                            e656cced405e01b6a60b7444b2c9e1b31ed7c63a

                            SHA256

                            612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db

                            SHA512

                            a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.id-8D56F154.[coronavirus@qq.com].ncov
                            Filesize

                            414KB

                            MD5

                            7d3c8bdac1036a19edacba602bdb6bc4

                            SHA1

                            80b80762b1e1ba72776ee02c8f92c50b8e236de5

                            SHA256

                            1f554d2aa667eb998fe2aedd27b96216ef52106ba6fb3655ee9990acfa908723

                            SHA512

                            0ece29854edc313aedcb33418eaec0cf659f760b0c06d4337b23b57936e1ea2b2d31886d2ad9ea54ac9393108e300518a5cdb5685d3a3a6e00de076aafe52caa

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MIZIPTM0\microsoft.windows[1].xml
                            Filesize

                            13B

                            MD5

                            c1ddea3ef6bbef3e7060a1a9ad89e4c5

                            SHA1

                            35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

                            SHA256

                            b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

                            SHA512

                            6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\AppxProvider.dll
                            Filesize

                            554KB

                            MD5

                            a7927846f2bd5e6ab6159fbe762990b1

                            SHA1

                            8e3b40c0783cc88765bbc02ccc781960e4592f3f

                            SHA256

                            913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

                            SHA512

                            1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismCorePS.dll
                            Filesize

                            183KB

                            MD5

                            a033f16836d6f8acbe3b27b614b51453

                            SHA1

                            716297072897aea3ec985640793d2cdcbf996cf9

                            SHA256

                            e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

                            SHA512

                            ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismHost.exe
                            Filesize

                            142KB

                            MD5

                            e5d5e9c1f65b8ec7aa5b7f1b1acdd731

                            SHA1

                            dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

                            SHA256

                            e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

                            SHA512

                            7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\DismProv.dll
                            Filesize

                            255KB

                            MD5

                            490be3119ea17fa29329e77b7e416e80

                            SHA1

                            c71191c3415c98b7d9c9bbcf1005ce6a813221da

                            SHA256

                            ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

                            SHA512

                            6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\LogProvider.dll
                            Filesize

                            77KB

                            MD5

                            815a4e7a7342224a239232f2c788d7c0

                            SHA1

                            430b7526d864cfbd727b75738197230d148de21a

                            SHA256

                            a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

                            SHA512

                            0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\CAD6ECA3-2746-4BD6-8795-B0FAC766BDA4\OSProvider.dll
                            Filesize

                            149KB

                            MD5

                            db4c3a07a1d3a45af53a4cf44ed550ad

                            SHA1

                            5dea737faadf0422c94f8f50e9588033d53d13b3

                            SHA256

                            2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

                            SHA512

                            5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
                            Filesize

                            666B

                            MD5

                            336e062f07132c52c0330fd802de0ad7

                            SHA1

                            2d428483a79d4081c9c4e3fb169809f344c87696

                            SHA256

                            f2659c8ba67fca055b5159315f1ad62c2844fb80cdafa935b7ec27a44e6123a9

                            SHA512

                            2591d2e12c4f8af2599f619b29ffd8b21ac1d6fa1ff5170396b7cf7aeca7f6b53546aaecabaae46279b7e42880f4e98c254eb51b15bb5de994020f27feed795f

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                            Filesize

                            13KB

                            MD5

                            6bb489d6fcec031304a28dfca0aa6fa0

                            SHA1

                            06c8f23ac4bf0fd1c848c5cb7f09167b5dd92021

                            SHA256

                            6b95e2f3b3488b2a71407523de908fefa7796e38af73f22e3db201c3353200d7

                            SHA512

                            9d0585d1e15a25ed367dffcdff39e5bb9994e5a98c467aed1ed102bd9b2f113e1a15d4003cccfc19fe8911368e27d67d296fa376fa99e7cffff7ef74cd474b5e

                            Download Submit
                          • C:\Users\Admin\Desktop\CheckpointPing.reg.id-8D56F154.[coronavirus@qq.com].ncov
                            Filesize

                            669KB

                            MD5

                            b5f74cf2c1269a292dbdc7d32f7092c8

                            SHA1

                            03cc725c2cb23df3218f5b4592f5dff0d19d719f

                            SHA256

                            29c03b0c9aa4c76c6e2307ae9ee9f75d9a02173b876b01b1d5560bc14bce199e

                            SHA512

                            85b3bf230f20dd34f1fe766ab248952e93bca1364a180fcdbe094b16a11fb55bbb417421ec8aa7921dcb4bbf344d834dcf9b3e8e8530f621e69303da0e0df9b8

                            Download Submit
                          • C:\Users\Admin\Downloads\RepairExit.htm
                            Filesize

                            474KB

                            MD5

                            b9c756bbc8085977ba257e6cb86044e3

                            SHA1

                            f3311b48730e9ddbddcbb7a2292cb9ed5b0aa5b7

                            SHA256

                            f4dfadb3ac531eff30579ecee3e71ad3acbcd559eb474eca8a30b6fdde32022d

                            SHA512

                            9a4cff4e4af56afeed615088dbd72cd877a562a9100b833697ea0bbf6823566f0bf82a372470078a68d9ab11bb95d206423e2877f6120edf7020e0afb2f7089d

                            Download Submit
                          • C:\Windows\Logs\DISM\dism.log
                            Filesize

                            233KB

                            MD5

                            3652a26b3071678db07e1844ee4c3158

                            SHA1

                            4245d94c6951f98a88ac8329afbec9ec979b834c

                            SHA256

                            c3635a02d33d039d31cb10c896fa3a4025e9b53cd3a642e39d04697ff8a8b81e

                            SHA512

                            9f656278b86407845cdd719622defefd7a572781d36286a9142428f05910e58a5d7f0bca85eba67febc5f54de0234df9e34669e23bc94719cb9ad827b16e93bd

                            Download Submit
                          • C:\Windows\System32\GroupPolicyUsers\S-1-5-21-275798769-4264537674-1142822080-1001\gpt.ini
                            Filesize

                            156B

                            MD5

                            24065ee5988fb7a34224fcd2e9eb6028

                            SHA1

                            c6f13a094a33e8655db14b96daf2247e3d4c6017

                            SHA256

                            8862b85c1ed9dbae806ab05ac6066efcedbf49098745796339eab3fae7ebfa1d

                            SHA512

                            e48c2d396bef5ef779f0ecc995f051313bf1374e56da8ecb381d5358786d78a4d476c573a322ec54067655d9fa69b469195949fa0300d74563c95034d95574ae

                            Download Submit
                          • memory/5044-0-0x0000000000400000-0x000000000056F000-memory.dmp
                            Filesize

                            1.4MB

                            Download
                          • memory/5044-23794-0x000000000ADC0000-0x000000000ADF4000-memory.dmp
                            Filesize

                            208KB

                            Download
                          • memory/5044-14216-0x0000000000400000-0x000000000056F000-memory.dmp
                            Filesize

                            1.4MB

                            Download
                          • memory/5044-2-0x0000000000400000-0x000000000056F000-memory.dmp
                            Filesize

                            1.4MB

                            Download
                          • memory/5044-1-0x000000000ADC0000-0x000000000ADF4000-memory.dmp
                            Filesize

                            208KB

                            Download