dharma | 94e5de9b6c0b0f3376df8563b7e70df7392a452513082300da8b113992cde728

Analysis

max time kernel
324s
max time network
327s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08-04-2024 11:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

wallpaper.jpg
Size

11KB
MD5

d246e2938a820cde7586bed0f346900c
SHA1

c03acdafeee855fdeca8e06b8abc712a1e85b505
SHA256

94e5de9b6c0b0f3376df8563b7e70df7392a452513082300da8b113992cde728
SHA512

0a574f6c84aee25d71479eed5c78d06a12d98f558628a311b08fb1d17609f12403f7d94d2d6d2179faf6252c0e96537a9bb88cae420282d6d211a1e821165d27
SSDEEP

192:khdfAW3/1AMExkhiiNEsD4SbAo0Y2dRhEN8hTA2zVXIDNgPx54mjmx7xDsVQzWB+:CfAmvMkhfNE+PbAox2JEWVXIDmPP4p7d

Score

10^/10

dharma evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

RedEye.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RedEye.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

RedEye.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (533) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

RedEye.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

13488 NetSh.exe

pid	process
13488	NetSh.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP"	RedEye.exe

Deletes itself 1 IoCs

Processes:

CoronaVirus.exe

pid process

4052 CoronaVirus.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe

Executes dropped EXE 10 IoCs

Processes:

CoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeRedEye.exe

pid	process
4052	CoronaVirus.exe
26864	CoronaVirus.exe
26944	msedge.exe
8164	msedge.exe
14332	msedge.exe
7292	msedge.exe
15592	msedge.exe
13924	msedge.exe
11744	msedge.exe
12516	RedEye.exe

Loads dropped DLL 7 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid process

26944 msedge.exe
8164 msedge.exe
14332 msedge.exe
7292 msedge.exe
15592 msedge.exe
13924 msedge.exe
11744 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
26944	msedge.exe
8164	msedge.exe
14332	msedge.exe
7292	msedge.exe
15592	msedge.exe
13924	msedge.exe
11744	msedge.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exeRedEye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RedEye.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

39 raw.githubusercontent.com
44 raw.githubusercontent.com
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

RedEye.exe

description ioc process

File created C:\autorun.inf RedEye.exe
File opened for modification C:\autorun.inf RedEye.exe
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\Info.hta CoronaVirus.exe
File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

flow	ioc
39	raw.githubusercontent.com
44	raw.githubusercontent.com

description	ioc	process
File created	C:\autorun.inf	RedEye.exe
File opened for modification	C:\autorun.inf	RedEye.exe

description	ioc	process
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp"	RedEye.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationFramework.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosBadgeLogo.contrast-white_scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\msedgewebview2.exe.sig.DATA	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClientSideProviders.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Thread.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.29231.0_x64__8wekyb3d8bbwe\vcamp140.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Sockets.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\mt.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\tr.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintLargeTile.scale-125.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\StoreLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\motion\FluentMotion.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Principal.Windows.dll.id-9AD7F29C.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK	CoronaVirus.exe

Drops file in Windows directory 1 IoCs

Processes:

RedEye.exe

description ioc process

File created C:\Windows\Nope.txt RedEye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Nope.txt	RedEye.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

15920 vssadmin.exe
9524 vssadmin.exe
13220 vssadmin.exe
11036 vssadmin.exe
13144 vssadmin.exe

pid	process
15920	vssadmin.exe
9524	vssadmin.exe
13220	vssadmin.exe
11036	vssadmin.exe
13144	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{B2890584-7349-4FA3-8F40-34B212DB8FC5}	msedge.exe

NTFS ADS 8 IoCs

Processes:

RedEye.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File created	C:\windows.exe\:SmartScreen:$DATA	RedEye.exe
File created	C:\windows.exe\:Zone.Identifier:$DATA	RedEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 811609.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472682.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Locky.AZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 683811.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RedEye.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeCoronaVirus.exe

pid	process
1380	msedge.exe
1380	msedge.exe
1384	msedge.exe
1384	msedge.exe
1964	msedge.exe
1964	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
3584	msedge.exe
3584	msedge.exe
4208	msedge.exe
4208	msedge.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe
4052	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msedge.exe

pid process

1384 msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vssvc.exeRedEye.exeshutdown.exe

description	pid	process
Token: SeBackupPrivilege	20284	vssvc.exe
Token: SeRestorePrivilege	20284	vssvc.exe
Token: SeAuditPrivilege	20284	vssvc.exe
Token: SeDebugPrivilege	12516	RedEye.exe
Token: SeShutdownPrivilege	14992	shutdown.exe
Token: SeRemoteShutdownPrivilege	14992	shutdown.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe

pid	process
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

msedge.exeLogonUI.exe

pid process

1384 msedge.exe
15204 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1384 wrote to memory of 2112	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2112	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 2116	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 1380	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 1380	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe
PID 1384 wrote to memory of 3340	1384	msedge.exe	msedge.exe

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

Processes:

RedEye.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	RedEye.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4"	RedEye.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1053cb8,0x7ffee1053cc8,0x7ffee1053cd8
2⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
2⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:8
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
2⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:4272

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:4612

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:15920

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:18396

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:26860

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:9524

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:9648

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:9388

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Executes dropped EXE
PID:26864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:26944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:14332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
PID:7292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1052 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
PID:11744

C:\Users\Admin\Downloads\RedEye.exe
"C:\Users\Admin\Downloads\RedEye.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:12516

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:13220

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:13144

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:11036

C:\Windows\SYSTEM32\NetSh.exe
NetSh Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:13488

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 00 -f
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:14992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C0
1⤵
PID:4828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:20284

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\732a37df7c50440fa2057faa5a2b3242 /t 9312 /p 9388
1⤵
PID:10368

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\d0216effadf049f1a7cedcec557f9b80 /t 9548 /p 9648
1⤵
PID:8652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:15204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-9AD7F29C.[coronavirus@qq.com].ncov
Filesize
2.9MB

MD5
4852daa75094981d32f84be670de937d

SHA1
e820a1628160e346e647b7500b80a7f73c17b52f

SHA256
17cedebe459ca32ca96febacfd044d8e2773f0f8da93959ec343b8b1d7e6ca77

SHA512
109c62baa6d8187a015d4f3fe46fe70519a1e050bc144d77df97f9f707fe4bd04af8f271c4754ca2418a8c0f056e2aefa7fc9750042061608b7c4c127375b101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\52fb04f1-848f-47d3-b97a-0350a7d2b4fb.tmp
Filesize
11KB

MD5
bb3e297ed1b4a08c3ab7e8f9a3ec29b1

SHA1
efc4886a3bdc683b03a5aa5481e331f5bfc867f2

SHA256
a7ec1aba1a039c29665d3eecb9b39c622dc6a942b80cb7b3c25d6c2360603a71

SHA512
896d217eb3f18bc144e5998c771e65917105dbed16f3386e98a93acf7485dfd65c483fa6a8dabd44d57dd7f60e4173d97c7a2851db0be4b848f77d1c7192b715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\79c0bfa0-4a7a-449a-9ca7-080d03952853.tmp
Filesize
5KB

MD5
516f6db038e325afd889e994c2fd7d7a

SHA1
0e3f79f5a405977137a613914f128ace8bf784b6

SHA256
9ecb23e1e7a2394e0c0663ebd63f550349983b599d288456462918f02e4953d7

SHA512
7cbddb3757ab8fa10cc981e3d6377ff05dd80ac264a859d6ed9ad5acbd5e50215bfd70f1e22ada69e641ce2d041ca6a06cd44baf3ce45afda576c38c0800b736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1451512ab33ef59186edb8b58d796add

SHA1
0b0063dcd1a2449e975b8fc08543cbb0eaaaa8d6

SHA256
b5e520ba72eff8f1b6ccb7803d85e05c650e6da298052b035371c58d7cdf3e03

SHA512
b2dd5d6f0020ddf1c6973aacd341f9554efb43e8ba9e8e3324524a4fa388e31cbd3cf2ba189a6b9546c3f02e16e69288adbfb5e6e486863bd605c33585bdb9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
919513b7df65d48c15836933fe4581de

SHA1
e88dd191b5b0902ebd1f74f20961ef98de2b28ea

SHA256
1f29e57b16de6cc0ce9d7fc1a8a804ea2223ffe348b9e8aaccef3f76469c2e37

SHA512
7a685617a45d7f559e44e4ad609be402e2ea6c4c6af49596213a48e66996c80877cfe6ffe7b089b705d329b2952c58dd8c9e648a2fc93a86a46379bfa78a8f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1024B

MD5
2dbe52fdf0e78919193eb1f974e9851b

SHA1
b6ccc46f954e09a1ee8f86a305769bd234f70216

SHA256
065b956a1483174cebc2e3590d6fa7dac7de840c898887815662f898a31d83c9

SHA512
483395e7c7ad58feb872aaf72f55f7fae5831f176672fe5175e84d16ff3f066b75f71cf7c94d01c4217be1dc28d752ad3d882f787be9d4c15797baa31c978b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f06601c356cecda2da4d081648fcb2f4

SHA1
705b277cc2a480d12258cd89f3b2f1a85a1d4297

SHA256
38a77df5f100ca5ff5cd1c626cadbe1c6c786b89b1d0d1a9208764d7870f5a73

SHA512
3f775833d1cdd80d09381fc03b787f066c96c70699f500558bfc744b801ee6760e6515ace7382eba4d184f36c21a2e55e663cd9c97a1bec641773f3b7dd215f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c5ecc3f154dd42584bf508ed63d7b859

SHA1
e87988a70aa7a0cd02fc58ef2e4e4613c5885464

SHA256
c6954d4b7d277c8d1ad27a209474d9e1a353f606f1837e4692e7651134ce51d5

SHA512
83ede4bfe5bf53bc46c002bc4318b952cb168a9e0f3bbe5d0b2980a0529fcd01079a94449f55bd83b8088d6d7761274d52ac58b6b110594990eaca4c26ee53ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ea171893d39eda8b1f6200eee9cd211b

SHA1
86abd986756cd70b41a1c346f95bb4932277ccda

SHA256
447ff4aae45ab9ea9f837ffaf209670f10873b340ad7f1d03272495962599624

SHA512
e87f30b0803ccb3dd5ef112ac4e0b7ec310211e098ce100f03e2ee8624f756b63527dfe17c7b916d02d20448380c3d6414d35aa9f51d5cb008db3e24a0fac5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5b4552.TMP
Filesize
6KB

MD5
8982a5e2596be83ea4a2ff4e900309ab

SHA1
2869a20ba8bddfac80703777343549409b993aa5

SHA256
15bef7227d50b5b2cbe435374f63a97550b5248a649e7a0fc8b0819e18443b22

SHA512
238dda64c049b7dafa7e8e6a8cf87807bed2a2c42a9d10c5dea16a2bc02177ef82af81f20572f4b17c9bb58d0087eed8bc193507ba77d6e85ac236c57e37921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d95c82089f45baf024a22fa985126581

SHA1
a0d6625e6a3e588cde25741b579316861320c833

SHA256
2a572a468b6b9abacf43452f97f4329587ebc43b614a3d6224f62dfb4c241eaa

SHA512
de3090dd1768aa6c1fa687f4f213ba1b396f9cce4a66d2a94b087f43f7e7c92fb9ad4b5f535b91b70a1241031294ae09fa7782bb8de758da1e603591cb9ef021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
27a997b0beec11bc9c1122ac857e4165

SHA1
0390a97ef1895c47c3e0d924bb9ffbddc93eebd3

SHA256
c8c9c375bf4ec220f06aac3b466cdafde824ed3c2c73fa9b9e53d3e75c465179

SHA512
3f554fb359561ab0e633f29ac6b254a7937c5e1579c1d8d37776fa1a169f9d076d44d225889f5a4de406feb04fd98c58318191f3e959f97b2ddf05ef049b90d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
33bed489f6f6ebee3601679683eaf2b9

SHA1
5a8db8d6fc31c6e38fb5ca410027f18f88becc09

SHA256
dc2911dbfc9c1497929a6abff1b41e39316780a0032989edff5eb088c7a3891c

SHA512
af74aabf59c6417ed3ce2e03d185cf40fceecf772d0c4215d9fb17cece9990c7b6f1a432bbb45eb7ca548d3b99d9328ee81472f4420102785933c5050bc16abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4daf49471411598d7ecdc6a32751a4af

SHA1
dcda36de2e94c452efb2b850b08360286ab103e2

SHA256
a729a223659b50972297561ddfa1096087ebb1126fdea97f88d313fdf0689341

SHA512
5b39e56cff9575f6bd27d55d84fc7017707dfe9f5918c0638c529c18cf6f06b8704c55410c5915568eae4d387ef3e05fd12d1d31043f22424f2511eb39be7132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5a5f51e7da2d5091617bf8e73846a385

SHA1
4159dbb564022d55cb059b8aa1920d9af917d620

SHA256
147ecd6e86acb147a574b570c24876a52849f9ce94532bbfdf087b30c9e95710

SHA512
a9ca1b21d73ff2320292a10a5ec756aa06b6f1ccef1130e4d5908a65e27c7dd85db0921f596fc92a6753a1deef33dc1308a126d4f8e2932245d3fbf280a91532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
94c1d9bbc102da257e71f3df3021dfeb

SHA1
bab64b884da90e9ec14f2102b243f1b92f0d3881

SHA256
a12f5f9ce158e2cc7f8f2f67e1d226c4b7d5484479ddf3e97701ef3e685c2576

SHA512
95953e3dd734adbea45fefb413ab6c0c2646ece4d1555d17d98f52bfd809d1962e3277927b1b8850227474b6046898bc6f41373c958a19d5d24521dee849f7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e0c6.TMP
Filesize
538B

MD5
15c9d9bcd97aec204f2120e0e1280140

SHA1
a1ba96f30352c6d41592a376dd37c79d2b707248

SHA256
52486807420d02c8830de61a985282ddbf46a4f5fe401ab96a7e70073370cf6e

SHA512
0c0ed01869e59141ce66c3a8009621a3d656a573d3a94ec297dfdb657cbd32380ab93a9d343dcfc6ef1bc2bad2005ace5f2e53891c82b7f7b12469254029bbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a7a71.TMP
Filesize
1KB

MD5
91acf151cf2ffbed0357d55a521a6e6b

SHA1
48f00d01136915ba53337b8ab072d06170cea1a6

SHA256
d4a041f95cc8af5dd5572fa796c2c5023f309b8d1eece5cc8e5a50d7180f9dcb

SHA512
895c28dd3efabba3e14b2831ca1519124568eb473fc37bb24f643cb548e6eee657de36a1b2cbcba80f91b2ace76a147ce656da5da61bd515e5d8827f71605d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
808fccf20b3e8d3d8e8e4d68642df5b1

SHA1
111b28623d14ba1beb651bb33a69e52daa259857

SHA256
1315fc6bdf6920a35566729fad134c6daefd4228e6b1f5e58d5aa7f123583fa9

SHA512
9a716ac8b8cfbacd6a39619aa14b0082d783a8d91ddd9026815dfb26ec1934a4af9fed59cfbb386fa1a285e2d064707e674ff56de6044bb374287ff4b2f343f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
93235623585cb3bdef63ac1a7a1f9e02

SHA1
5f79a8a81970468a259b0646ddff84abaa94a97d

SHA256
cb8a060964ecf257f435a545cb32597d531f6225e273419f6918a59624428753

SHA512
362fd3f929af65ef255039b53c3c66ec47a34e9e82e4b8b7356a8fa4f21b0fba2661e437efe6d8792117b478bef9005d31e5875d15428871ec051e3cd707b1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c3c0ad4656d2fd8658affb066a37cf68

SHA1
00eacbdd25b5f72be9f334e0a20a4423ccee3112

SHA256
ed61566dea3efadcfd90accb3a59a876f36806e1fa6e35406f40d4fe084d6a4a

SHA512
026dd534519d9ad1c8161e479c05058d1464897954fc95d45b5b88b53343b449f53be1ade81fdb2e454ec66bc7fde48e5ebe433be7f5c8dd544837f17688f957

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 472682.crdownload
Filesize
181KB

MD5
0826df3aaa157edff9c0325f298850c2

SHA1
ed35b02fa029f1e724ed65c2de5de6e5c04f7042

SHA256
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b

SHA512
af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 683811.crdownload
Filesize
10.6MB

MD5
e9e5596b42f209cc058b55edc2737a80

SHA1
f30232697b3f54e58af08421da697262c99ec48b

SHA256
9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305

SHA512
e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 811609.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\LOCAL\crashpad_1384_PEKMJTEMLCUVOQMV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4052-495-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4052-13089-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4052-470-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4052-494-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/12516-24296-0x000002F7DA7B0000-0x000002F7DB7C6000-memory.dmp

Filesize
16.1MB

Download
memory/12516-24294-0x000002F7BF5E0000-0x000002F7C007C000-memory.dmp

Filesize
10.6MB

Download
memory/12516-24295-0x00007FFEDD550000-0x00007FFEDE012000-memory.dmp

Filesize
10.8MB

Download
memory/12516-24297-0x000002F7C0480000-0x000002F7C0486000-memory.dmp

Filesize
24KB

Download
memory/12516-24298-0x000002F7DA6B0000-0x000002F7DA6C0000-memory.dmp

Filesize
64KB

Download
memory/12516-24351-0x00007FFEDD550000-0x00007FFEDE012000-memory.dmp

Filesize
10.8MB

Download
memory/26864-14483-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/26864-24142-0x000000000A560000-0x000000000A594000-memory.dmp

Filesize
208KB

Download
memory/26864-24143-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/26864-24158-0x000000000A560000-0x000000000A594000-memory.dmp

Filesize
208KB

Download
memory/26864-24157-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads