Resubmissions

29-04-2024 07:46

240429-jlyaxsdf97 10

28-04-2024 13:27

240428-qp2wvagg39 10

28-04-2024 13:08

240428-qdnj3sge28 10

28-04-2024 12:57

240428-p7ch8sgc77 10

28-04-2024 12:50

240428-p25ylagf2v 10

28-04-2024 12:29

240428-pnvwgagb8t 10

Analysis

  • max time kernel
    385s
  • max time network
    427s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-04-2024 13:08

General

  • Target

    CoronaVirus.exe

  • Size

    1.0MB

  • MD5

    055d1462f66a350d9886542d4d79bc2b

  • SHA1

    f1086d2f667d807dbb1aa362a7a809ea119f2565

  • SHA256

    dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

  • SHA512

    2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

  • SSDEEP

    24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message E5331119 In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

coronavirus@qq.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (567) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3560
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:744
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:25832
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:26288
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          2⤵
            PID:15532
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              3⤵
                PID:17528
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:18976
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
                PID:18000
              • C:\Windows\System32\mshta.exe
                "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                2⤵
                  PID:18440
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:3384
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  2⤵
                  • Checks processor information in registry
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3548
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.0.1265738289\1318787041" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c471681-03aa-480f-881d-bc76f9502c41} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 1832 23715f0f258 gpu
                    3⤵
                      PID:4064
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.1.1660112967\369075829" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea32af4-6306-4d33-8f31-7d839e8f8427} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 2356 23709289358 socket
                      3⤵
                      • Checks processor information in registry
                      PID:536
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.2.394627168\453796764" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 3008 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ca29107-a633-4957-8383-2bd2ea6cbcd0} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 2836 237187f5d58 tab
                      3⤵
                        PID:4344
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.3.330069295\142985224" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5e2c6eb-bba0-466a-8de4-bf1e22c6fd46} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3556 2370927ab58 tab
                        3⤵
                          PID:716
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.4.1669217229\1010309426" -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a94610-15d2-4491-8dde-b2e416b9d734} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5076 2371dfbe158 tab
                          3⤵
                            PID:2416
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.5.209896682\1202496038" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5260 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a018c315-b403-4a4c-8a6e-7e9c59341d9b} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5244 2371dfbe758 tab
                            3⤵
                              PID:1948
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.6.1581736305\1738267766" -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea659621-5313-4f0e-8e77-a93464997ca1} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5476 2371dfbf058 tab
                              3⤵
                                PID:1140
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.7.1117943100\1168763648" -childID 6 -isForBrowser -prefsHandle 5960 -prefMapHandle 5956 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f0c6f3-4c9a-4233-be7e-42c2b66484a8} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 5968 2371f7b5b58 tab
                                3⤵
                                  PID:3688
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:6260
                            • C:\Windows\system32\werfault.exe
                              werfault.exe /h /shared Global\9132e88ef04f4f72bd5464dd74e8812d /t 18560 /p 18440
                              1⤵
                                PID:19528
                              • C:\Windows\system32\SearchIndexer.exe
                                C:\Windows\system32\SearchIndexer.exe /Embedding
                                1⤵
                                  PID:22016
                                • C:\Windows\system32\SearchIndexer.exe
                                  C:\Windows\system32\SearchIndexer.exe /Embedding
                                  1⤵
                                  • Enumerates connected drives
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:26300
                                  • C:\Windows\System32\SearchProtocolHost.exe
                                    "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3062789476-783164490-2318012559-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3062789476-783164490-2318012559-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
                                    2⤵
                                      PID:24516
                                    • C:\Windows\System32\SearchProtocolHost.exe
                                      "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:21920
                                    • C:\Windows\system32\SearchFilterHost.exe
                                      "C:\Windows\system32\SearchFilterHost.exe" 836 3876 3320 820 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
                                      2⤵
                                        PID:16820
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe"
                                      1⤵
                                        PID:18752
                                        • C:\Windows\system32\Taskmgr.exe
                                          taskmgr.exe
                                          2⤵
                                          • Drops startup file
                                          • Checks SCSI registry key(s)
                                          • Checks processor information in registry
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:5828
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                          2⤵
                                            PID:18836
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                              3⤵
                                                PID:18996
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                            1⤵
                                              PID:14788
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:25768

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Defense Evasion

                                              Indicator Removal

                                              2
                                              T1070

                                              File Deletion

                                              2
                                              T1070.004

                                              Modify Registry

                                              1
                                              T1112

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Query Registry

                                              4
                                              T1012

                                              Peripheral Device Discovery

                                              2
                                              T1120

                                              System Information Discovery

                                              4
                                              T1082

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Impact

                                              Inhibit System Recovery

                                              2
                                              T1490

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                2.7MB

                                                MD5

                                                8b92f29e6672dc671bcc6fdc3e2052c7

                                                SHA1

                                                1a59043d57b90439bee4051600e199fbbdb31790

                                                SHA256

                                                ac8da20be173e6992d0eebd8116932c4a781ef8a85278d359047c40f72173bf2

                                                SHA512

                                                2637107882fa6843c4f6c1ddb9198ebd56aad520a23cf7483d6b0a05c46020d4755cf4b5138ae6b6c46852ba17e12513887c1c4215a12f9c886a44fdb6ad906b

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1KB

                                                MD5

                                                57a89d521aa97b76c216377375c39e4c

                                                SHA1

                                                6bba65981070dbeab440e824655b920a0dd2cae1

                                                SHA256

                                                aa8b7caf149a1f40f14e17b93dd502ed25f9fd53a9b9b4a093ebd1920aadfb37

                                                SHA512

                                                595471ddc97178ce5286a2d7d28f5fae36db2456e82188a3bc4fda8ccfd313b691e26f3a44960d49a3850bd53ba5adf32a9fc7828c7d04ee1484b81d1c9f12e0

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                12KB

                                                MD5

                                                a03dd6c870b213902512f6a2ec3473d3

                                                SHA1

                                                ada5c96c1644084ecca35af7840a4b8891bd5f3b

                                                SHA256

                                                225c462bdf8964dd87fbc33af954d42d56ac96b8ecc45a56c09efe79fe08451a

                                                SHA512

                                                0d7c0d6f33cf52b2c343b38f3b878cc7be2f46a3520badb6cb2f94ff2b644c38788816cfe2889796968a2be499cf291a734df9481706daa19a1612c59914f45e

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
                                                Filesize

                                                240B

                                                MD5

                                                5859da9f328b6fee8e8778030a4bdf4f

                                                SHA1

                                                03b48316cf24598187b6d65924cc6cd1fb18615a

                                                SHA256

                                                1cca3876be9ff2bd6ff3e9c3948b9bb3f32c8855047e03cca30589e3dd701c66

                                                SHA512

                                                9913aa4daa3260efef13e3d881effab2816e0c0bc6a738b94855779c8029442195b82e7c44191d2b7eccb45d40e0b3d7fba110f3c0790b50f72f817203b6b0e0

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                492B

                                                MD5

                                                21e5ad3fb05e7a51ec3e21015592809e

                                                SHA1

                                                c6b0bc34b58e192662e8c2d95ff43a980d5cb8b2

                                                SHA256

                                                56e4a30ea23c26a282418ea1f5a506342752f10f494a724a0bf1d89ac9eca2c5

                                                SHA512

                                                e8d3cd92f604558354734ec6efe19c20d8ba8c8d4876bc9374075ceff6ef69f73f50a059c44a1eeeb0cfea1f44423fd8657923ef1e820d75876fc6bd5a766e67

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                64KB

                                                MD5

                                                51c1080c02da42d666659e16fa82194f

                                                SHA1

                                                ffd97f8fc79d6a5008d27a4c9a3a574c174c6910

                                                SHA256

                                                bae445870ecc7cb1701c06c5658ec56cb36d6ba7017ad97a59a7e656a8a3ca70

                                                SHA512

                                                ae3b880c6b9143eb78dbaaf5a8914d7abb8b64cdef979faaa76c59da862a7ada95958686b3042c61f3b0bc8fae9efa3e79d4f0b7a9b4c68de9e0c5eb2eda7a78

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                64KB

                                                MD5

                                                90a561768de33139dc689dfbe6e7362a

                                                SHA1

                                                7a41751d5cced87fb4c1476d2e2813f0b5381cc8

                                                SHA256

                                                2b26e448177b657835e41e60d9130aeb4ae771030092ec831e8f0ce88d0c27c8

                                                SHA512

                                                71d7f3ae95a1a07ccd5d9fbc1d38e193a0b9a8bb9640a34ff7476304cbbc4b81e987ec5b283adbedb421eb728326ceaa28e1d489fdd119184171d49930ae77c1

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                492B

                                                MD5

                                                b53a63eaf364cdb79f6a4fbc739b45c1

                                                SHA1

                                                16eab6d2b0c002afe004ee02d007935fa755c5c3

                                                SHA256

                                                c08f7d0b93c72c6bc3b4b9da4e34c3ea17bd97264a6b021984aea0fcc51f132f

                                                SHA512

                                                9abcb22e2396b214fdc2a319a035511280f50c378f1401e7526f227d88ca74a3564b8333aa82603e27e1d05b90313bc68993c48668d6945069808f585f8a5af3

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                64KB

                                                MD5

                                                ac2d7e4d8b8c9232fc6e509141e2a137

                                                SHA1

                                                e46bd9071ba38d26a2347c98d4ed829a1a3fde4b

                                                SHA256

                                                5d7850bb9342cba7347eb945cee0a4a6c75cbf2dc734e980907f4093022ed77b

                                                SHA512

                                                0806fe957c4a04a1f065c2abb1a71867ad696dec4c6d4fa0ddae3ccdc7b72976c8b57589983eb3e41ad4074a4e6a2456e25f86e73f4484e5a13290a0985a73b5

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                64KB

                                                MD5

                                                9bf4fe6cf2825169e0888ca53f1c1184

                                                SHA1

                                                756b02eeb62778d38e98b5e949a60780f91ce399

                                                SHA256

                                                a7e95a91be817403532cb5ca0fcc8e3597cc151bc0d1ae6ebef5cd38908403e4

                                                SHA512

                                                e8acbce9183e4a259fb9dffc3dbbd75b3b64dcc9f6648c267d4184ac27dfbd19fc53870a204a8ce5df2cb819250d2be0e550a901563e9068d392ff32ac358a19

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                8.8MB

                                                MD5

                                                c82ea92ca6fc425515390078d00f9774

                                                SHA1

                                                de7e061c61b13f6142321c8e5050b9484ca2e4ae

                                                SHA256

                                                03d0db22d7ce0cfa35e4d8579ae6d88a1ba0f409f6c7d7ff6cab7cdd3a1798e8

                                                SHA512

                                                6bc23fe40f8f42777221a7cc935f4bd8cf1f07a670190104a4405a1512d62a02c3f8b3a4b066731c5489582f818e8ff22a1e62ced11ed50c8afc46ec704bf6db

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.jfm.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                16KB

                                                MD5

                                                04e1beb8dc7bfaf40555a2294fe8b8a3

                                                SHA1

                                                a94d52f3d0ae37f4437f03030b8d3a3cd5760743

                                                SHA256

                                                988a3ebc8ed32ce3ed73911c854339c087de02aac1c9de0e97ecb6c3b81ef928

                                                SHA512

                                                ed9636b91c44c273d2aedc24e09b05f339406c2732e4961900321f0870843d55c7d8e6e7dcf3b2bb812ae22888245434df1c883ab1e0ace0899a4062156220bc

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp
                                                Filesize

                                                8KB

                                                MD5

                                                36771898e9ad83b61a019d8788d147bf

                                                SHA1

                                                e9a2eda5ca876d2ae88da6eca39b5b939a70b7a6

                                                SHA256

                                                eb52acc5025024c30ca866019c7c4ed614a34cc95000d2e7e51d68ff42255a4c

                                                SHA512

                                                26e415232ee352bff86eae20e1b27644ca616b93dfd57cd8ba09ef12ff4e51756ab95bbf78380cc9bcddf143bf0bdbd0de6bac685f70d3bfabc83e9a5415ac90

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jcp.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                8KB

                                                MD5

                                                f30e1ff0d5b5546a682e50118d3f3387

                                                SHA1

                                                f7e6455452cfb0ae95a48b011c3d4e102bec196f

                                                SHA256

                                                c8e3d6f155e5dd5376bb081e136f236470aca9a6ccacd40acc2d839607832f16

                                                SHA512

                                                56132b950599f17da72e0cee8a6b9ca050c34bb40cd0874bffe9768f0a561b62b2e90a500fa00684b9a44ba031c48c4f09c8ada04ef6dbf4c3c7c4ecddf37e9a

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx
                                                Filesize

                                                1024KB

                                                MD5

                                                5bce7ac1f6f28b0935fcc5c979e212f2

                                                SHA1

                                                9b2d247c4661774fec7f50d06c344244112d2864

                                                SHA256

                                                df4f12237f818f9857c33f5bbb74850402207a33bd55c2cf6532d62787b68e98

                                                SHA512

                                                4b4cc6e20e4f147690605d41a01bc4b39032078582fce1d8f6059f609528729447a5e0ee32a2c064d6da2c76db7ee28f5b0d47e25f53a396aad5416c2888f665

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                411bf14fead10dd3a426b1b66e91c11e

                                                SHA1

                                                65d984f406fa2d8451a78d06bdafd348cfc9d1e5

                                                SHA256

                                                86d90cb3e21c2901c3ee45d607a50a6bdeec8b0e4a059fdfc624357cee3c2233

                                                SHA512

                                                16ed920d7c32592aea222065c600c2a581e13894d3a03f94a94709d2536e9c6cdc811022622be5da9d34346869b82bd15ae61e29906d028b1b3f206fcd4b72f0

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00002.jtx.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                e009f41101bc02472c9191b404ab5a91

                                                SHA1

                                                921ff28574b2fbd37fcb605cac607f4855097c71

                                                SHA256

                                                d3261ca12b6fefd8003c1b7ddb649e4b122e216674a65109905df99f3821e9e6

                                                SHA512

                                                7286f7b6c1dabeaa013f427e6505dda74eaccb1d45b4b5ccacc1326d33a601eef8dbce3af6413c972a0f167c9476c976cf67b4739bf2a37a0dfc6e606206ea33

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00003.jtx.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                bf633aa43d9fcbd0fbc6d747bb2be161

                                                SHA1

                                                9225107f08687f79bdc930f50a957c26fa5f8874

                                                SHA256

                                                abe70beed8e850d76ea0519efbbe799a738b2547adf9c09bf3670135caf615ac

                                                SHA512

                                                41631b8c9ac82cbc2ac67b06243bf36986e318e3490b69dcb2e116d75db9dafd0f5ab98e6290630d6e6479312d15d9731c221f7c30c93bcb1254f06f01eadba5

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                a1ac36f0223988b28c27ce5e4492d98e

                                                SHA1

                                                fdc77ae7d6543e67a12821b0da9223e7e06989ab

                                                SHA256

                                                09e5738e381de30606fa25b7fda68c20cf8222525826c4b9bcd6769a3047178b

                                                SHA512

                                                195da5e383f18440cbc86aeb70a057d739bca0aec6637cd3b7958d3c44b1b189b0f3858d0b9942fda8c76dad8b473f87f5a44d55a87ee5b0f7ecbbc37220c1c2

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                d4c2b998ad48d2fe2e55fac2bdd78ea7

                                                SHA1

                                                4b4f789648aa4e5922ec2ba46140f97615980fc4

                                                SHA256

                                                b01d53b8274b600fd7ab0000c862c372d3da29c7ffdd16cf48fda0ea052b22ac

                                                SHA512

                                                4b519d54d084c286dda9e556ee94f43107964c2b17fd7505d4a043017d824b7739dd094526e790f8656a2945bb9e335916c1da60852b5d14f60d0ab5e1dc5572

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                ab82c0f6ba4ae961f8833218c3a730a2

                                                SHA1

                                                d6b18a94166cc7d4269df50a5cfb607e114ca1a3

                                                SHA256

                                                a7d36c20887630b57819fe93300e3df1a7eb772de4586a2e3b6ac290a7b3599a

                                                SHA512

                                                85e9f1394448302c80bd0f1d4da2e8b5e72553a7c6d48e68fe7f0bda4cc49585bc6b1dc3ab73e491b8d2dd86b6ae327ff3c4b5babc806fa2b664dbce744a8cb8

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx
                                                Filesize

                                                1024KB

                                                MD5

                                                b6d81b360a5672d80c27430f39153e2c

                                                SHA1

                                                3b71f43ff30f4b15b5cd85dd9e95ebc7e84eb5a3

                                                SHA256

                                                30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58

                                                SHA512

                                                d6292685b380e338e025b3415a90fe8f9d39a46e7bdba8cb78c50a338cefca741f69e4e46411c32de1afdedfb268e579a51f81ff85e56f55b0ee7c33fe8c25c9

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx
                                                Filesize

                                                1024KB

                                                MD5

                                                24c5fd0218575e9debea76de675b9c0b

                                                SHA1

                                                e9c1c92a96bb1aedcbfb109a20a68e8005368f5c

                                                SHA256

                                                5e9e738343aa78f7c1767f320f7df385f2ff5bb447d0694f6696810e0245631f

                                                SHA512

                                                5d1deb7e3851ebe962b9c18ed9191a5ba5a741870583b0ca5f51642cb080066b14a32c080e27f50c4d6828eb26331ee2b4b6b40cd96efbf12efa5a6890c78787

                                              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                1.0MB

                                                MD5

                                                a148dd9d24cd9a7576bee7406817060e

                                                SHA1

                                                f418094cbc93c9629d5983db02ec474b70724b8d

                                                SHA256

                                                ecd8db511bd800094d07f58a4e286190ffe9bf558fe5259ee9e32c31791f253a

                                                SHA512

                                                e0332fcdae30f8ca82d95e7ee9b12b1861a16994e96aa6c0d8262edea7d3dbf66432e7136440fefa62c71e72724c81a12b6a7921c52e53dc0354e9ca074494fb

                                              • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.id-E5331119.[coronavirus@qq.com].ncov
                                                Filesize

                                                290KB

                                                MD5

                                                bbfde7231f5dece2f4042d57d2c54957

                                                SHA1

                                                fb0a0516039dd68b3a1cf3d42c1dd88e765b68cd

                                                SHA256

                                                ab8f7aef971a5636e159b8d99203dbd6ba9dbccbfbdc99d5136deda2e027b159

                                                SHA512

                                                f1a589097f4eb4ad5aabf50d935ebed50aceb892e8a86122ea47413802b4c6a9c196dcc34d3a3f5283533987c47bcbab731b6c9c427b1592fd75db2227aafa91

                                              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe
                                                Filesize

                                                1.0MB

                                                MD5

                                                055d1462f66a350d9886542d4d79bc2b

                                                SHA1

                                                f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                SHA256

                                                dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                SHA512

                                                2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                                                Filesize

                                                13KB

                                                MD5

                                                57fdc01b75425cb21b873cce36590dff

                                                SHA1

                                                d430058765619684b91b79b1fda6ca937dfb9d66

                                                SHA256

                                                c92c1291d9ed736350758630b0040159dd69b5e70953a26f31c554b86c8076f4

                                                SHA512

                                                7d950cae0e84b453dd4bccd673a02b309dfdb82d83440dd748e10f981ee85afc371255d8824c730e628bffcf8c194f0c35297a3b635920e81a306492bb3daa55

                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
                                                Filesize

                                                26KB

                                                MD5

                                                a15d3801ae8a633cd1150a8195e6eee1

                                                SHA1

                                                1464ff7a74301e4e1c7f119a83f57c300fe6cb7f

                                                SHA256

                                                37de56fb44072f159fd1dd59c746da02bf0f5941ac0251afcce39e5daa285e5e

                                                SHA512

                                                dc3db5e028b8712cbdd08d46ccba307fe77b4036c01ad38d846e8df402ca9db9d1cf5143f608c999d53d7e059ba808e4180350fb575334e0d17396497f0160e7

                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\activity-stream.discovery_stream.json.tmp
                                                Filesize

                                                27KB

                                                MD5

                                                676c9dfcfe285ded05396e6c7760b809

                                                SHA1

                                                da89c538965204a88007a4d1c88b2a67c3d3164d

                                                SHA256

                                                a3301b8f378d5345a179be6a23b897ace355fc8d808e3c5e7b99f4759ccc6738

                                                SHA512

                                                4eb9a6cf93a7a3a57da4d57b037d7631719f31a75918b600d9750f8fe1cc9ca5fe36983c67eb2824a18154a1390e67288e5d12bf6a80de7cc6eaa35d65a7bbe6

                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3b1psp2h.default-release\cache2\entries\8889BDA353177B2CBE445A1C3B1F487FCD52CE10
                                                Filesize

                                                210KB

                                                MD5

                                                26f4940cb0229bd8df46252b0de656fd

                                                SHA1

                                                8d3a2bb74b33ead01982f510fdb8a946939c03f9

                                                SHA256

                                                889739028892d0776f8cd54285fc9ea05c1a8e9a087f6b1569e8a69fb07136aa

                                                SHA512

                                                228e7575dec16590f753bf3fd7ac2aca4a3ee1253ed894478ed1f4b28a8b0776580b2458970617b41cb599be262b68180869c09e7d2aa91004b0c08303abab87

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\favicons.sqlite
                                                Filesize

                                                5.8MB

                                                MD5

                                                ed90770e50e0ef681ba93f5c1caa00e4

                                                SHA1

                                                8a1b1f5acad843f8bd1d762c56cb5a41b5618df9

                                                SHA256

                                                3d78cb481c2dd31eea226ea0805d1153776b9639630016d097bf3281509e9f0f

                                                SHA512

                                                bc1c37ae317130fb60d1efb15e38c9864a0bda9533cfa5b16efa071fec70a134da9bde7f4192bffe4aa6c86744a8c12a5db6e8f43e8dea07bd907454becb9a18

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\places.sqlite
                                                Filesize

                                                5.8MB

                                                MD5

                                                977e10e8b5a4749d06ba2434e3347870

                                                SHA1

                                                9817d1478e658c8aabf3db08db7fdffcf22f63dc

                                                SHA256

                                                e0ad8d7f710311ed430eed18cdbdc297c2cf03e151ae2a4dd41f7de176716aab

                                                SHA512

                                                5a9c13183aae135cc77f6a8bf78953a41073a7bc8cb7128dc0a158d766251902b50f7c7951ad0c25630d4e9ff1d6f666fe58e7133985bfbbb2bb2ddcb7302049

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\prefs.js
                                                Filesize

                                                6KB

                                                MD5

                                                8dec274e8b8dfd83ffb1ac4961e44c15

                                                SHA1

                                                8e948947ad4aef3b2c9f9045cd07e55cd64c7bf1

                                                SHA256

                                                76fc8005ce529ca8a1c24f4f3406f5b1d70833cbb008e6c3be3eac86d908146c

                                                SHA512

                                                afd20e9c90f9243a81e750e132f4e63c47660670d4a8c90d7a896679a2ec924dbddccbba318608d656519d1def8a2490a92acda327e1c441d5cab0638f382f1c

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionCheckpoints.json.tmp
                                                Filesize

                                                288B

                                                MD5

                                                6b77a9f779399e95d1cee931a2c8f8ff

                                                SHA1

                                                826efd4feb0d50fcce5696111af7c811b81adcd9

                                                SHA256

                                                3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

                                                SHA512

                                                ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore-backups\recovery.jsonlz4
                                                Filesize

                                                3KB

                                                MD5

                                                63388ad3c32dfc0847c40961c86639a5

                                                SHA1

                                                ff73bb18fd29a1c54442b019fbfea51f7162c84f

                                                SHA256

                                                c3e0605d1c4b8f187c3db2192ba59b6a7fa39217fa0c0b9eb77d64df697a2c58

                                                SHA512

                                                0c8693da01182381492cb2b4aec9f83794c2d187131c25bddd4a1d1d490b96ef0335c37fa5d89bd33afed6cc853b53d8e547ca84e14d1532f41f22b0eba541a0

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\sessionstore.jsonlz4
                                                Filesize

                                                4KB

                                                MD5

                                                925bd69e0d891ad5aa2b5d4d84015a32

                                                SHA1

                                                a109d54795ac5d3604b6d7440d3282d5c53e2294

                                                SHA256

                                                dde01a9732424f75cab3b7f5585b265836a7f8ff9f352203805f77b04714bd6e

                                                SHA512

                                                03698ae139bba696a546c52e7919591dad4b3b25c8f27452ef46ef69f4de4d5e3d9baf8d52f8fdf1f9de2be1970693c528e619bc7494e7c352f49333ec7e74aa

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3b1psp2h.default-release\targeting.snapshot.json
                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • memory/3560-24710-0x000000000A6A0000-0x000000000A6D4000-memory.dmp
                                                Filesize

                                                208KB

                                              • memory/3560-20522-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                              • memory/3560-0-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                              • memory/3560-84-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                              • memory/3560-82-0x000000000A6A0000-0x000000000A6D4000-memory.dmp
                                                Filesize

                                                208KB

                                              • memory/22016-24736-0x00000221979C0000-0x00000221979D0000-memory.dmp
                                                Filesize

                                                64KB

                                              • memory/22016-24720-0x0000022197790000-0x00000221977A0000-memory.dmp
                                                Filesize

                                                64KB

                                              • memory/22016-24755-0x000002219BC40000-0x000002219BC41000-memory.dmp
                                                Filesize

                                                4KB

                                              • memory/22016-24761-0x000002219BB90000-0x000002219BB91000-memory.dmp
                                                Filesize

                                                4KB