dharma | 29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-952492217-3293592999-1071733403-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-952492217-3293592999-1071733403-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-952492217-3293592999-1071733403-1000\desktop.ini	explorer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-952492217-3293592999-1071733403-1000\desktop.ini	explorer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\system32\spool\PRINTERS\PP9n0v00sx7fa6sl4w0uz_1tq6c.TMP	printfilterpipelinesvc.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File opened for modification	C:\Windows\System32\1ecmqj.exe	explorer.exe
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	explorer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100_altform-colorful.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\GlassGeometryShader.cso	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.INF	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Mu\Content	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\fi-FI\PAD.Console.Host.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\DotLiquid.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ar.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare310x310Logo.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\EmptyReport.rdlc	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nl.pak.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideLogo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\FocusTrapZone.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-32_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF.id-0354D2D0.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781\fileCoreHostExe	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Checkers.api	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1250.TXT2	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_ca.t	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TrackedSend.aapp	explorer.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	explorer.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	explorer.exe
File opened for modification	C:\Windows\Offline Web Pages	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100jpn_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobepdf.xdc	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1252.TXT1	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\cryptocme.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CYRILLIC.TXT	explorer.exe
File opened for modification	C:\Windows\Installer\e5dd.msp	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Acrofx32.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_asym.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs	explorer.exe
File opened for modification	C:\Windows\Media\Garden	explorer.exe
File opened for modification	C:\Windows\Media\Sonata	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_base.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_Full.aapp	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\fillsign.aapp	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TURKISH.TXT	explorer.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\plugin.x.manifest	explorer.exe
File opened for modification	C:\Windows\assembly\PublisherPolicy.tme	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CoolType.dll_NON_OPT	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe	explorer.exe
File opened for modification	C:\Windows\Media\Festival	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Favorites	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acropdf64.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrosup64.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SharedExpat.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\prcr.x3d	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3	explorer.exe
File opened for modification	C:\Windows\Media\Calligraphy	explorer.exe
File opened for modification	C:\Windows\System32	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100chs_x86	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\home.aapp	explorer.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\SystemSettings\View	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	explorer.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Videos	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api	explorer.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobehunspellplugin.dll	explorer.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	3560	WerFault.exe	124

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
49972	vssadmin.exe
49608	vssadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5280	taskkill.exe
4520	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\TypedURLs	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1\0\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\28\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\32\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\1 = 6400310000000000dd580940110050524f4752417e3100004c0009000400efbec5525961dd5841402e0000003f00000000000100000000000000000000000000000069757d00500072006f006700720061006d002000460069006c0065007300000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1\0\0 = 6c00310000000000dd58f13e10005745425349547e310000540009000400efbedd58f13edd581d3f2e000000e4ab0200000002000000000000000000000000000000bb8b1201570065006200730069007400650053006f00750072006300650043006f0064006500000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\2\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\3\0 = 5400310000000000dd58f23e1000466c6f78696600003e0009000400efbedd58f23edd581d3f2e0000009bac020000000100000000000000000000000000000003fe470046006c006f00780069006600000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\23\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\32\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\29\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\25\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\1\0\0\0 = 5400310000000000dd58f13e1000696d6167657300003e0009000400efbedd58f13edd581d3f2e0000000aac0200000001000000000000000000000000000000bb8b120169006d006100670065007300000016000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 050000000000000004000000020000000100000003000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\23\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\32\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MeltingScreen.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NewLove.vbs:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\San.html:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.c.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Brontok.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\BubbleBoy.html:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Kiray.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyPics.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pleh.vbs:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Nyxem.E.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\DesktopBoom.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Mari.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Silver\Silver.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Quamo.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\README.md:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Jer.html:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lacon.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\White.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ScreenScrew.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Xanax.exe:Zone.Identifier	explorer.exe
File created	C:\Users\Admin\Downloads\BabylonClient12.msi:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Maldal.a.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Merkur.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MsWorld.exe:Zone.Identifier	explorer.exe
File created	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Funsoul.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Happy99.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pikachu.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Botnets\FritzFrog\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.d.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1:Zone.Identifier	explorer.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
3680	explorer.exe
3680	explorer.exe
36808	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4200	Gnil.exe
4200	Gnil.exe
4200	Gnil.exe
4200	Gnil.exe
4200	Gnil.exe
4200	Gnil.exe
3668	spoclsv.exe
3668	spoclsv.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe
5628	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3680	explorer.exe
2852	MsiExec.exe
36808	explorer.exe
38304	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	5280	taskkill.exe
Token: 33	656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	656	AUDIODG.EXE
Token: SeSecurityPrivilege	3680	explorer.exe
Token: SeTakeOwnershipPrivilege	3680	explorer.exe
Token: SeSecurityPrivilege	3680	explorer.exe
Token: SeTakeOwnershipPrivilege	3680	explorer.exe
Token: SeSecurityPrivilege	3680	explorer.exe
Token: SeTakeOwnershipPrivilege	3680	explorer.exe
Token: SeShutdownPrivilege	3896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3896	msiexec.exe
Token: SeSecurityPrivilege	5552	msiexec.exe
Token: SeCreateTokenPrivilege	3896	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3896	msiexec.exe
Token: SeLockMemoryPrivilege	3896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3896	msiexec.exe
Token: SeMachineAccountPrivilege	3896	msiexec.exe
Token: SeTcbPrivilege	3896	msiexec.exe
Token: SeSecurityPrivilege	3896	msiexec.exe
Token: SeTakeOwnershipPrivilege	3896	msiexec.exe
Token: SeLoadDriverPrivilege	3896	msiexec.exe
Token: SeSystemProfilePrivilege	3896	msiexec.exe
Token: SeSystemtimePrivilege	3896	msiexec.exe
Token: SeProfSingleProcessPrivilege	3896	msiexec.exe
Token: SeIncBasePriorityPrivilege	3896	msiexec.exe
Token: SeCreatePagefilePrivilege	3896	msiexec.exe
Token: SeCreatePermanentPrivilege	3896	msiexec.exe
Token: SeBackupPrivilege	3896	msiexec.exe
Token: SeRestorePrivilege	3896	msiexec.exe
Token: SeShutdownPrivilege	3896	msiexec.exe
Token: SeDebugPrivilege	3896	msiexec.exe
Token: SeAuditPrivilege	3896	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3896	msiexec.exe
Token: SeChangeNotifyPrivilege	3896	msiexec.exe
Token: SeRemoteShutdownPrivilege	3896	msiexec.exe
Token: SeUndockPrivilege	3896	msiexec.exe
Token: SeSyncAgentPrivilege	3896	msiexec.exe
Token: SeEnableDelegationPrivilege	3896	msiexec.exe
Token: SeManageVolumePrivilege	3896	msiexec.exe
Token: SeImpersonatePrivilege	3896	msiexec.exe
Token: SeCreateGlobalPrivilege	3896	msiexec.exe
Token: SeCreateTokenPrivilege	3896	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3896	msiexec.exe
Token: SeLockMemoryPrivilege	3896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3896	msiexec.exe
Token: SeMachineAccountPrivilege	3896	msiexec.exe
Token: SeTcbPrivilege	3896	msiexec.exe
Token: SeSecurityPrivilege	3896	msiexec.exe
Token: SeTakeOwnershipPrivilege	3896	msiexec.exe
Token: SeLoadDriverPrivilege	3896	msiexec.exe
Token: SeSystemProfilePrivilege	3896	msiexec.exe
Token: SeSystemtimePrivilege	3896	msiexec.exe
Token: SeProfSingleProcessPrivilege	3896	msiexec.exe
Token: SeIncBasePriorityPrivilege	3896	msiexec.exe
Token: SeCreatePagefilePrivilege	3896	msiexec.exe
Token: SeCreatePermanentPrivilege	3896	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
2864	firefox.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2852	MsiExec.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
3680	explorer.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe
2864	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2252 wrote to memory of 2864	2252	firefox.exe	85
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 1520	2864	firefox.exe	86
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87
PID 2864 wrote to memory of 3436	2864	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo
1⤵
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.934918005\301938980" -parentBuildID 20230214051806 -prefsHandle 1796 -prefMapHandle 1788 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a2f0ab8-1fd0-4388-97f6-84aba8598076} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1888 28453223758 gpu
    3⤵
    PID:1520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.1.1383736794\946188684" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b389b5c-93f8-48c4-8427-cd2d72908143} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2416 28446586058 socket
    3⤵
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.2.1291002947\1857721117" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30affb93-e442-498c-9cb2-b2ee4a98d330} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3068 2845610fc58 tab
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.3.1000492465\528760318" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a10ef49-b62e-48b1-8aa3-1095def652d0} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3592 28458890158 tab
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.4.1267151407\428172120" -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f07194c-ba10-4198-850d-a9f8ed61e1f3} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5108 2845b277658 tab
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.5.2095402685\341004309" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5244 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22ccb69b-5413-450d-9ff7-a1072bb1bb58} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5316 2845b278258 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.163119557\751402702" -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977ca08b-f276-43f9-a4c2-129dae121ba5} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5436 2845b278e58 tab
    3⤵
    PID:4944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.7.1333887165\994208310" -childID 6 -isForBrowser -prefsHandle 1560 -prefMapHandle 5436 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e09142ae-ecc2-454d-bbdd-ab63bd65bd2b} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5884 2845af68358 tab
    3⤵
    PID:1972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.8.858730122\2119042937" -childID 7 -isForBrowser -prefsHandle 5304 -prefMapHandle 5092 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32bf1d69-a880-4058-ae09-1a0c47521905} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3844 28458b49b58 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.9.618830945\594160103" -childID 8 -isForBrowser -prefsHandle 3560 -prefMapHandle 2684 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eb372ef-7ddc-468e-aaf7-9fee54fea8c7} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5232 28459761758 tab
    3⤵
    PID:2076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.10.1348793360\1808921121" -childID 9 -isForBrowser -prefsHandle 5092 -prefMapHandle 6544 -prefsLen 28271 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14048f11-27b6-43e7-ae3f-5ce2e912e3b6} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2944 2845c0e8858 tab
    3⤵
    PID:5272
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:5892

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe"
1⤵
PID:2080
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill.exe /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill.exe /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3680
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 456
    3⤵
    - Program crash
    PID:5864
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:4272
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3936
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:49248
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:49608
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:49172
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:49580
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:49972
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:49292
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:49336
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:5876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 79C7608D30027FD22BD28C48BADCF576 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3560 -ip 3560
1⤵
PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:50032

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f125598af73b439393c9b5483dc67510 /t 49300 /p 49292
1⤵
PID:44008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:36808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:37756
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\WebsiteSourceCode\index.html.id-0354D2D0.[[email protected]].txt
  2⤵
  PID:38676
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\WebsiteSourceCode\README.md.id-0354D2D0.txt
  2⤵
  PID:39580
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\SysWOW64\appidtel.exe"
  2⤵
  PID:38596
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\SysWOW64\appidtel.exe"
  2⤵
  PID:38684
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\SysWOW64\AtBroker.exe"
  2⤵
  PID:38712
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\SysWOW64\AtBroker.exe"
  2⤵
  PID:43940
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe" /D C
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  PID:6796
- - C:\Users\Admin\AppData\Local\Temp\2CDCA9C0-7ED3-420F-9F44-E68902213049\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\2CDCA9C0-7ED3-420F-9F44-E68902213049\dismhost.exe {F1B7E10E-C38B-4CD0-8DA5-6E2F126AD7C0}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:49376
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word.txt
  2⤵
  PID:29456
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word.txt
  2⤵
  PID:15324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:37464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:38156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:38304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:37948

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:39208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:39976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:28552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery