dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Resubmissions

29-04-2024 07:46

240429-jlyaxsdf97 10

28-04-2024 13:27

28-04-2024 13:08

28-04-2024 12:57

28-04-2024 12:50

28-04-2024 12:29

Analysis

max time kernel
79s
max time network
135s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 3 IoCs

pid	Process
3000	chrome.exe
2832	chrome.exe
4336	chrome.exe

Loads dropped DLL 64 IoCs

pid	Process
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
3000	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
3000	chrome.exe
3000	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
2832	chrome.exe
4336	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
3000	chrome.exe
3000	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KIMP0IT\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIYQP923\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L54IQZD2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTINTL.DLL.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\lib\zi\MST.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\MANUAL.ICO	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.id-74772EC7.[[email protected]].ncov	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4308	vssadmin.exe
2932	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
1760	CoronaVirus.exe
5108	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5108	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeBackupPrivilege	3276	vssvc.exe
Token: SeRestorePrivilege	3276	vssvc.exe
Token: SeAuditPrivilege	3276	vssvc.exe
Token: SeDebugPrivilege	5108	taskmgr.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe
5108	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2324	2696	chrome.exe	31
PID 2696 wrote to memory of 2324	2696	chrome.exe	31
PID 2696 wrote to memory of 2324	2696	chrome.exe	31
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2504	2696	chrome.exe	33
PID 2696 wrote to memory of 2152	2696	chrome.exe	34
PID 2696 wrote to memory of 2152	2696	chrome.exe	34
PID 2696 wrote to memory of 2152	2696	chrome.exe	34
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35
PID 2696 wrote to memory of 2876	2696	chrome.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1760
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1792
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1160
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4308
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2364
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:3992
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2932
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:2296
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:4372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5fe9758,0x7fef5fe9768,0x7fef5fe9778
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:2
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1580 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1408,i,17333400545841513883,16341971535064281717,131072 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
PID:1812

C:\Windows\System32\BitLockerWizardElev.exe
"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-74772EC7.[[email protected]].ncov

Filesize
6.3MB

MD5
9694d7c2f6e689a70d577155ac2a7811

SHA1
28aee41dd904a8d58cf4282e4f20311c50c6acb0

SHA256
5e562e4d10480cf3e53661bc199fd25b5cc9585e43efcd862fa63a504e8da5fc

SHA512
cee285d2318fb84724ce27c3a5d672da87aa4d627fc9690feb1476eb0fc7b993a8e2f690dcf239a42e05687eaf589dd1dc4798eef025b7e73f4493fbbeeda79f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5ade7323af0468b467e6830c2001a677

SHA1
9f7e95e9aeee199dbf406b0daca9e07388833b59

SHA256
407081d9110b56a8fc98005dee87d4afda1876588b69455bceaa568710599fab

SHA512
73aaa321b950126a5bb1c34a5f980e77b80cfbf884dd71dacecd004f32122e10abc595e2311541a6518d580c24c374fe5ac4b10e92411db9802a2b7e6544e289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
51abd2da29d7d45b8c4be6366b22e434

SHA1
ffba5fa2ce0630b6f76a874a0a923bd255dd301f

SHA256
5f4e7384db2008ec8a47651a5ada497e012d5f965a094276a0595b6ff2792b9a

SHA512
f595e2191e7389b53344b0d3a6a80876b26ef234c9ae9f4c79d6589dab9cb6802378d48f735c5b64a43ff29921834e0dda80d787c07c00de64b614430d896107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
166KB

MD5
55ee9ff139dadc1a03c56867cdb2ccf1

SHA1
a6a7a0179180d8e11ae4b8fbe70a0d5abb95e537

SHA256
d5577aa211330045657cc60121d0dff972ea913d6c20587e2fce00a62322c7a8

SHA512
90b15c0190cb295cb5aaebeefbc99103505405e633f1f090a4792a9a9f4ddde3901063748d0f4281f4670873c4458b7f5895b79b44e7792f2d9a44e71f1dae44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
87c9d3fff4d47366d5ba73259e9e8a00

SHA1
89a9a646f3391a87a7935a710e9b62337d70ec20

SHA256
6a80c292fabc3e299cab9185990271d777dc65e09bfb4a1cec55dbb50604e753

SHA512
d9fa3740ccc7095225b5566ab82de26d3cbba7ac6c14faaae5672f90ae8e90b1e2056fe218cd0daca4b32379c82553c7320d3267490ac0dc2b1fbfe629177ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\da7f58bf-3d72-4d5b-8089-a391517773a8.tmp

Filesize
189KB

MD5
b437678fa318d779c7d67e22438009b8

SHA1
4ff76d4ca0e77a2149ce972072dc28c579420bd5

SHA256
e4102038c202910069f095acfd7dcddbf0c64a6f01ccf402fc6767a2d5199692

SHA512
844d47224627f5f139fa2107f142569c8493947c86db46498f3e336a583a7dcae4268a1fe15927a2296efb4466991d2d80e49a1ff50dfc050932d4da4026c746

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll

Filesize
194.7MB

MD5
8a71055d24733ac3722ebabe4c6405bd

SHA1
c011c83344f34a37997500b9aaa1387cdde39e3b

SHA256
4a2635e9bbc85ddc6bfb45273b5b570cdd94e86dfd10713c9c6e07f2d3953b6b

SHA512
74cb7a507efedf55bdf49a24f47fa338b57cd08580ca6111f87268f1ca37b1a25a11ac1481e1a4d0c976c6f29ba07d7a7b2bc005db04f9b7590490e370c540f8

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll

Filesize
2.5MB

MD5
bcd202723504b7c09a1c9333c957971d

SHA1
536d1210f4519ca2a759f9b69cb70224108c0981

SHA256
020a6ab995558144f8d2b92037d95477972f821effe8797d16d5752ccd5470f4

SHA512
33cb3ac137b91d78efb3b8ca1af568c24c106f8be4366919a11ed7feecb7b066cba6ed16251fa13a85b0547de9924580793f81e1390bd23add808b5c01c7b524

Download Submit
\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
memory/1760-55-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-2586-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-11652-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/1760-53-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/2296-20494-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/4372-20376-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/5108-5027-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-13554-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-11654-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-11653-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-10163-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-8230-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12352-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12353-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12798-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12836-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12835-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12834-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-12833-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-13108-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-13107-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-10162-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-13555-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-16954-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-17865-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-17753-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-8219-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-20356-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-20355-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-20357-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-20358-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-6634-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-6633-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-5028-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-2671-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/5108-2675-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download