dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Resubmissions

29-04-2024 07:46

240429-jlyaxsdf97 10

28-04-2024 13:27

28-04-2024 13:08

28-04-2024 12:57

28-04-2024 12:50

28-04-2024 12:29

Analysis

max time kernel
385s
max time network
427s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message E5331119 In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

coronavirus@qq.com

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (567) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 6 IoCs

Processes:

CoronaVirus.exeTaskmgr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	Taskmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3062789476-783164490-2318012559-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SearchIndexer.exe

description	ioc	process
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe

Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\StandardShader.gs.cso	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsRowFields.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\ui-strings.js.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INF.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\ui-strings.js.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\getChildren.js	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner_process.svg	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-64.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Assets\Square150x150Logo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\version.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraStoreLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\ui-strings.js.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll.id-E5331119.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

26288 vssadmin.exe
18976 vssadmin.exe

pid	process
26288	vssadmin.exe
18976	vssadmin.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

SearchProtocolHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CoronaVirus.exe

pid	process
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe
3560	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Taskmgr.exe

pid process

5828 Taskmgr.exe

pid	process
5828	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

firefox.exevssvc.exeSearchIndexer.exeTaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3548	firefox.exe
Token: SeDebugPrivilege	3548	firefox.exe
Token: SeBackupPrivilege	6260	vssvc.exe
Token: SeRestorePrivilege	6260	vssvc.exe
Token: SeAuditPrivilege	6260	vssvc.exe
Token: SeManageVolumePrivilege	26300	SearchIndexer.exe
Token: 33	26300	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	26300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	26300	SearchIndexer.exe
Token: SeDebugPrivilege	5828	Taskmgr.exe
Token: SeSystemProfilePrivilege	5828	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5828	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exeTaskmgr.exe

pid	process
3548	firefox.exe
3548	firefox.exe
3548	firefox.exe
3548	firefox.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeTaskmgr.exe

pid	process
3548	firefox.exe
3548	firefox.exe
3548	firefox.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe
5828	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3548 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3384 wrote to memory of 3548	3384	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 4064	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 536	3548	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:744

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:25832

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:26288

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:15532

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:17528

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:18976

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:18000

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:18440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.0.1265738289\1318787041" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c471681-03aa-480f-881d-bc76f9502c41} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 1832 23715f0f258 gpu
3⤵
PID:4064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.1.1660112967\369075829" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea32af4-6306-4d33-8f31-7d839e8f8427} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 2356 23709289358 socket
3⤵
- Checks processor information in registry
PID:536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.2.394627168\453796764" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 3008 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ca29107-a633-4957-8383-2bd2ea6cbcd0} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 2836 237187f5d58 tab
3⤵
PID:4344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.3.330069295\142985224" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5e2c6eb-bba0-466a-8de4-bf1e22c6fd46} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3556 2370927ab58 tab
3⤵
PID:716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.4.1669217229\1010309426" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a94610-15d2-4491-8dde-b2e416b9d734} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5076 2371dfbe158 tab
3⤵
PID:2416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.5.209896682\1202496038" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5260 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a018c315-b403-4a4c-8a6e-7e9c59341d9b} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5244 2371dfbe758 tab
3⤵
PID:1948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.6.1581736305\1738267766" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea659621-5313-4f0e-8e77-a93464997ca1} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5476 2371dfbf058 tab
3⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.7.1117943100\1168763648" -childID 6 -isForBrowser -prefsHandle 5960 -prefMapHandle 5956 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f0c6f3-4c9a-4233-be7e-42c2b66484a8} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5968 2371f7b5b58 tab
3⤵
PID:3688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6260

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9132e88ef04f4f72bd5464dd74e8812d /t 18560 /p 18440
1⤵
PID:19528

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:22016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:26300

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3062789476-783164490-2318012559-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3062789476-783164490-2318012559-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
2⤵
PID:24516

C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:21920

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 836 3876 3320 820 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
2⤵
PID:16820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:18752

C:\Windows\system32\Taskmgr.exe
taskmgr.exe
2⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:18836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:18996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:14788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:25768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-E5331119.[coronavirus@qq.com].ncov
Filesize
2.7MB

MD5
8b92f29e6672dc671bcc6fdc3e2052c7

SHA1
1a59043d57b90439bee4051600e199fbbdb31790

SHA256
ac8da20be173e6992d0eebd8116932c4a781ef8a85278d359047c40f72173bf2

SHA512
2637107882fa6843c4f6c1ddb9198ebd56aad520a23cf7483d6b0a05c46020d4755cf4b5138ae6b6c46852ba17e12513887c1c4215a12f9c886a44fdb6ad906b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1KB

MD5
57a89d521aa97b76c216377375c39e4c

SHA1
6bba65981070dbeab440e824655b920a0dd2cae1

SHA256
aa8b7caf149a1f40f14e17b93dd502ed25f9fd53a9b9b4a093ebd1920aadfb37

SHA512
595471ddc97178ce5286a2d7d28f5fae36db2456e82188a3bc4fda8ccfd313b691e26f3a44960d49a3850bd53ba5adf32a9fc7828c7d04ee1484b81d1c9f12e0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr.id-E5331119.[coronavirus@qq.com].ncov
Filesize
12KB

MD5
a03dd6c870b213902512f6a2ec3473d3

SHA1
ada5c96c1644084ecca35af7840a4b8891bd5f3b

SHA256
225c462bdf8964dd87fbc33af954d42d56ac96b8ecc45a56c09efe79fe08451a

SHA512
0d7c0d6f33cf52b2c343b38f3b878cc7be2f46a3520badb6cb2f94ff2b644c38788816cfe2889796968a2be499cf291a734df9481706daa19a1612c59914f45e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
Filesize
240B

MD5
5859da9f328b6fee8e8778030a4bdf4f

SHA1
03b48316cf24598187b6d65924cc6cd1fb18615a

SHA256
1cca3876be9ff2bd6ff3e9c3948b9bb3f32c8855047e03cca30589e3dd701c66

SHA512
9913aa4daa3260efef13e3d881effab2816e0c0bc6a738b94855779c8029442195b82e7c44191d2b7eccb45d40e0b3d7fba110f3c0790b50f72f817203b6b0e0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000.id-E5331119.[coronavirus@qq.com].ncov
Filesize
492B

MD5
21e5ad3fb05e7a51ec3e21015592809e

SHA1
c6b0bc34b58e192662e8c2d95ff43a980d5cb8b2

SHA256
56e4a30ea23c26a282418ea1f5a506342752f10f494a724a0bf1d89ac9eca2c5

SHA512
e8d3cd92f604558354734ec6efe19c20d8ba8c8d4876bc9374075ceff6ef69f73f50a059c44a1eeeb0cfea1f44423fd8657923ef1e820d75876fc6bd5a766e67

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-E5331119.[coronavirus@qq.com].ncov
Filesize
64KB

MD5
51c1080c02da42d666659e16fa82194f

SHA1
ffd97f8fc79d6a5008d27a4c9a3a574c174c6910

SHA256
bae445870ecc7cb1701c06c5658ec56cb36d6ba7017ad97a59a7e656a8a3ca70

SHA512
ae3b880c6b9143eb78dbaaf5a8914d7abb8b64cdef979faaa76c59da862a7ada95958686b3042c61f3b0bc8fae9efa3e79d4f0b7a9b4c68de9e0c5eb2eda7a78

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-E5331119.[coronavirus@qq.com].ncov
Filesize
64KB

MD5
90a561768de33139dc689dfbe6e7362a

SHA1
7a41751d5cced87fb4c1476d2e2813f0b5381cc8

SHA256
2b26e448177b657835e41e60d9130aeb4ae771030092ec831e8f0ce88d0c27c8

SHA512
71d7f3ae95a1a07ccd5d9fbc1d38e193a0b9a8bb9640a34ff7476304cbbc4b81e987ec5b283adbedb421eb728326ceaa28e1d489fdd119184171d49930ae77c1

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.id-E5331119.[coronavirus@qq.com].ncov
Filesize
492B

MD5
b53a63eaf364cdb79f6a4fbc739b45c1

SHA1
16eab6d2b0c002afe004ee02d007935fa755c5c3

SHA256
c08f7d0b93c72c6bc3b4b9da4e34c3ea17bd97264a6b021984aea0fcc51f132f

SHA512
9abcb22e2396b214fdc2a319a035511280f50c378f1401e7526f227d88ca74a3564b8333aa82603e27e1d05b90313bc68993c48668d6945069808f585f8a5af3

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-E5331119.[coronavirus@qq.com].ncov
Filesize
64KB

MD5
ac2d7e4d8b8c9232fc6e509141e2a137

SHA1
e46bd9071ba38d26a2347c98d4ed829a1a3fde4b

SHA256
5d7850bb9342cba7347eb945cee0a4a6c75cbf2dc734e980907f4093022ed77b

SHA512
0806fe957c4a04a1f065c2abb1a71867ad696dec4c6d4fa0ddae3ccdc7b72976c8b57589983eb3e41ad4074a4e6a2456e25f86e73f4484e5a13290a0985a73b5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-E5331119.[coronavirus@qq.com].ncov
Filesize
64KB

MD5
9bf4fe6cf2825169e0888ca53f1c1184

SHA1
756b02eeb62778d38e98b5e949a60780f91ce399

SHA256
a7e95a91be817403532cb5ca0fcc8e3597cc151bc0d1ae6ebef5cd38908403e4

SHA512
e8acbce9183e4a259fb9dffc3dbbd75b3b64dcc9f6648c267d4184ac27dfbd19fc53870a204a8ce5df2cb819250d2be0e550a901563e9068d392ff32ac358a19

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.id-E5331119.[coronavirus@qq.com].ncov
Filesize
8.8MB

MD5
c82ea92ca6fc425515390078d00f9774

SHA1
de7e061c61b13f6142321c8e5050b9484ca2e4ae

SHA256
03d0db22d7ce0cfa35e4d8579ae6d88a1ba0f409f6c7d7ff6cab7cdd3a1798e8

SHA512
6bc23fe40f8f42777221a7cc935f4bd8cf1f07a670190104a4405a1512d62a02c3f8b3a4b066731c5489582f818e8ff22a1e62ced11ed50c8afc46ec704bf6db

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.jfm.id-E5331119.[coronavirus@qq.com].ncov
Filesize
16KB

MD5
04e1beb8dc7bfaf40555a2294fe8b8a3

SHA1
a94d52f3d0ae37f4437f03030b8d3a3cd5760743

SHA256
988a3ebc8ed32ce3ed73911c854339c087de02aac1c9de0e97ecb6c3b81ef928

SHA512
ed9636b91c44c273d2aedc24e09b05f339406c2732e4961900321f0870843d55c7d8e6e7dcf3b2bb812ae22888245434df1c883ab1e0ace0899a4062156220bc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp
Filesize
8KB

MD5
36771898e9ad83b61a019d8788d147bf

SHA1
e9a2eda5ca876d2ae88da6eca39b5b939a70b7a6

SHA256
eb52acc5025024c30ca866019c7c4ed614a34cc95000d2e7e51d68ff42255a4c

SHA512
26e415232ee352bff86eae20e1b27644ca616b93dfd57cd8ba09ef12ff4e51756ab95bbf78380cc9bcddf143bf0bdbd0de6bac685f70d3bfabc83e9a5415ac90

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp.id-E5331119.[coronavirus@qq.com].ncov
Filesize
8KB

MD5
f30e1ff0d5b5546a682e50118d3f3387

SHA1
f7e6455452cfb0ae95a48b011c3d4e102bec196f

SHA256
c8e3d6f155e5dd5376bb081e136f236470aca9a6ccacd40acc2d839607832f16

SHA512
56132b950599f17da72e0cee8a6b9ca050c34bb40cd0874bffe9768f0a561b62b2e90a500fa00684b9a44ba031c48c4f09c8ada04ef6dbf4c3c7c4ecddf37e9a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx
Filesize
1024KB

MD5
5bce7ac1f6f28b0935fcc5c979e212f2

SHA1
9b2d247c4661774fec7f50d06c344244112d2864

SHA256
df4f12237f818f9857c33f5bbb74850402207a33bd55c2cf6532d62787b68e98

SHA512
4b4cc6e20e4f147690605d41a01bc4b39032078582fce1d8f6059f609528729447a5e0ee32a2c064d6da2c76db7ee28f5b0d47e25f53a396aad5416c2888f665

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
411bf14fead10dd3a426b1b66e91c11e

SHA1
65d984f406fa2d8451a78d06bdafd348cfc9d1e5

SHA256
86d90cb3e21c2901c3ee45d607a50a6bdeec8b0e4a059fdfc624357cee3c2233

SHA512
16ed920d7c32592aea222065c600c2a581e13894d3a03f94a94709d2536e9c6cdc811022622be5da9d34346869b82bd15ae61e29906d028b1b3f206fcd4b72f0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00002.jtx.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
e009f41101bc02472c9191b404ab5a91

SHA1
921ff28574b2fbd37fcb605cac607f4855097c71

SHA256
d3261ca12b6fefd8003c1b7ddb649e4b122e216674a65109905df99f3821e9e6

SHA512
7286f7b6c1dabeaa013f427e6505dda74eaccb1d45b4b5ccacc1326d33a601eef8dbce3af6413c972a0f167c9476c976cf67b4739bf2a37a0dfc6e606206ea33

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00003.jtx.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
bf633aa43d9fcbd0fbc6d747bb2be161

SHA1
9225107f08687f79bdc930f50a957c26fa5f8874

SHA256
abe70beed8e850d76ea0519efbbe799a738b2547adf9c09bf3670135caf615ac

SHA512
41631b8c9ac82cbc2ac67b06243bf36986e318e3490b69dcb2e116d75db9dafd0f5ab98e6290630d6e6479312d15d9731c221f7c30c93bcb1254f06f01eadba5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
a1ac36f0223988b28c27ce5e4492d98e

SHA1
fdc77ae7d6543e67a12821b0da9223e7e06989ab

SHA256
09e5738e381de30606fa25b7fda68c20cf8222525826c4b9bcd6769a3047178b

SHA512
195da5e383f18440cbc86aeb70a057d739bca0aec6637cd3b7958d3c44b1b189b0f3858d0b9942fda8c76dad8b473f87f5a44d55a87ee5b0f7ecbbc37220c1c2

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
d4c2b998ad48d2fe2e55fac2bdd78ea7

SHA1
4b4f789648aa4e5922ec2ba46140f97615980fc4

SHA256
b01d53b8274b600fd7ab0000c862c372d3da29c7ffdd16cf48fda0ea052b22ac

SHA512
4b519d54d084c286dda9e556ee94f43107964c2b17fd7505d4a043017d824b7739dd094526e790f8656a2945bb9e335916c1da60852b5d14f60d0ab5e1dc5572

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
ab82c0f6ba4ae961f8833218c3a730a2

SHA1
d6b18a94166cc7d4269df50a5cfb607e114ca1a3

SHA256
a7d36c20887630b57819fe93300e3df1a7eb772de4586a2e3b6ac290a7b3599a

SHA512
85e9f1394448302c80bd0f1d4da2e8b5e72553a7c6d48e68fe7f0bda4cc49585bc6b1dc3ab73e491b8d2dd86b6ae327ff3c4b5babc806fa2b664dbce744a8cb8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx
Filesize
1024KB

MD5
b6d81b360a5672d80c27430f39153e2c

SHA1
3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3

SHA256
30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58

SHA512
d6292685b380e338e025b3415a90fe8f9d39a46e7bdba8cb78c50a338cefca741f69e4e46411c32de1afdedfb268e579a51f81ff85e56f55b0ee7c33fe8c25c9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx
Filesize
1024KB

MD5
24c5fd0218575e9debea76de675b9c0b

SHA1
e9c1c92a96bb1aedcbfb109a20a68e8005368f5c

SHA256
5e9e738343aa78f7c1767f320f7df385f2ff5bb447d0694f6696810e0245631f

SHA512
5d1deb7e3851ebe962b9c18ed9191a5ba5a741870583b0ca5f51642cb080066b14a32c080e27f50c4d6828eb26331ee2b4b6b40cd96efbf12efa5a6890c78787

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-E5331119.[coronavirus@qq.com].ncov
Filesize
1.0MB

MD5
a148dd9d24cd9a7576bee7406817060e

SHA1
f418094cbc93c9629d5983db02ec474b70724b8d

SHA256
ecd8db511bd800094d07f58a4e286190ffe9bf558fe5259ee9e32c31791f253a

SHA512
e0332fcdae30f8ca82d95e7ee9b12b1861a16994e96aa6c0d8262edea7d3dbf66432e7136440fefa62c71e72724c81a12b6a7921c52e53dc0354e9ca074494fb

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.id-E5331119.[coronavirus@qq.com].ncov
Filesize
290KB

MD5
bbfde7231f5dece2f4042d57d2c54957

SHA1
fb0a0516039dd68b3a1cf3d42c1dd88e765b68cd

SHA256
ab8f7aef971a5636e159b8d99203dbd6ba9dbccbfbdc99d5136deda2e027b159

SHA512
f1a589097f4eb4ad5aabf50d935ebed50aceb892e8a86122ea47413802b4c6a9c196dcc34d3a3f5283533987c47bcbab731b6c9c427b1592fd75db2227aafa91

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
57fdc01b75425cb21b873cce36590dff

SHA1
d430058765619684b91b79b1fda6ca937dfb9d66

SHA256
c92c1291d9ed736350758630b0040159dd69b5e70953a26f31c554b86c8076f4

SHA512
7d950cae0e84b453dd4bccd673a02b309dfdb82d83440dd748e10f981ee85afc371255d8824c730e628bffcf8c194f0c35297a3b635920e81a306492bb3daa55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
a15d3801ae8a633cd1150a8195e6eee1

SHA1
1464ff7a74301e4e1c7f119a83f57c300fe6cb7f

SHA256
37de56fb44072f159fd1dd59c746da02bf0f5941ac0251afcce39e5daa285e5e

SHA512
dc3db5e028b8712cbdd08d46ccba307fe77b4036c01ad38d846e8df402ca9db9d1cf5143f608c999d53d7e059ba808e4180350fb575334e0d17396497f0160e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
676c9dfcfe285ded05396e6c7760b809

SHA1
da89c538965204a88007a4d1c88b2a67c3d3164d

SHA256
a3301b8f378d5345a179be6a23b897ace355fc8d808e3c5e7b99f4759ccc6738

SHA512
4eb9a6cf93a7a3a57da4d57b037d7631719f31a75918b600d9750f8fe1cc9ca5fe36983c67eb2824a18154a1390e67288e5d12bf6a80de7cc6eaa35d65a7bbe6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\8889BDA353177B2CBE445A1C3B1F487FCD52CE10
Filesize
210KB

MD5
26f4940cb0229bd8df46252b0de656fd

SHA1
8d3a2bb74b33ead01982f510fdb8a946939c03f9

SHA256
889739028892d0776f8cd54285fc9ea05c1a8e9a087f6b1569e8a69fb07136aa

SHA512
228e7575dec16590f753bf3fd7ac2aca4a3ee1253ed894478ed1f4b28a8b0776580b2458970617b41cb599be262b68180869c09e7d2aa91004b0c08303abab87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\favicons.sqlite
Filesize
5.8MB

MD5
ed90770e50e0ef681ba93f5c1caa00e4

SHA1
8a1b1f5acad843f8bd1d762c56cb5a41b5618df9

SHA256
3d78cb481c2dd31eea226ea0805d1153776b9639630016d097bf3281509e9f0f

SHA512
bc1c37ae317130fb60d1efb15e38c9864a0bda9533cfa5b16efa071fec70a134da9bde7f4192bffe4aa6c86744a8c12a5db6e8f43e8dea07bd907454becb9a18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\places.sqlite
Filesize
5.8MB

MD5
977e10e8b5a4749d06ba2434e3347870

SHA1
9817d1478e658c8aabf3db08db7fdffcf22f63dc

SHA256
e0ad8d7f710311ed430eed18cdbdc297c2cf03e151ae2a4dd41f7de176716aab

SHA512
5a9c13183aae135cc77f6a8bf78953a41073a7bc8cb7128dc0a158d766251902b50f7c7951ad0c25630d4e9ff1d6f666fe58e7133985bfbbb2bb2ddcb7302049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
Filesize
6KB

MD5
8dec274e8b8dfd83ffb1ac4961e44c15

SHA1
8e948947ad4aef3b2c9f9045cd07e55cd64c7bf1

SHA256
76fc8005ce529ca8a1c24f4f3406f5b1d70833cbb008e6c3be3eac86d908146c

SHA512
afd20e9c90f9243a81e750e132f4e63c47660670d4a8c90d7a896679a2ec924dbddccbba318608d656519d1def8a2490a92acda327e1c441d5cab0638f382f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionCheckpoints.json.tmp
Filesize
288B

MD5
6b77a9f779399e95d1cee931a2c8f8ff

SHA1
826efd4feb0d50fcce5696111af7c811b81adcd9

SHA256
3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

SHA512
ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
63388ad3c32dfc0847c40961c86639a5

SHA1
ff73bb18fd29a1c54442b019fbfea51f7162c84f

SHA256
c3e0605d1c4b8f187c3db2192ba59b6a7fa39217fa0c0b9eb77d64df697a2c58

SHA512
0c8693da01182381492cb2b4aec9f83794c2d187131c25bddd4a1d1d490b96ef0335c37fa5d89bd33afed6cc853b53d8e547ca84e14d1532f41f22b0eba541a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
925bd69e0d891ad5aa2b5d4d84015a32

SHA1
a109d54795ac5d3604b6d7440d3282d5c53e2294

SHA256
dde01a9732424f75cab3b7f5585b265836a7f8ff9f352203805f77b04714bd6e

SHA512
03698ae139bba696a546c52e7919591dad4b3b25c8f27452ef46ef69f4de4d5e3d9baf8d52f8fdf1f9de2be1970693c528e619bc7494e7c352f49333ec7e74aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\targeting.snapshot.json
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3560-24710-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/3560-20522-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3560-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3560-84-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3560-82-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/22016-24736-0x00000221979C0000-0x00000221979D0000-memory.dmp

Filesize
64KB

Download
memory/22016-24720-0x0000022197790000-0x00000221977A0000-memory.dmp

Filesize
64KB

Download
memory/22016-24755-0x000002219BC40000-0x000002219BC41000-memory.dmp

Filesize
4KB

Download
memory/22016-24761-0x000002219BB90000-0x000002219BB91000-memory.dmp

Filesize
4KB

Download