dharma | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

Resubmissions

30-06-2024 01:19

240630-bpptys1fka 10

29-06-2024 23:34

240629-3kgrbszama 10

Analysis

max time kernel
116s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

CoronaVirus.exe
Size

1.0MB
MD5

055d1462f66a350d9886542d4d79bc2b
SHA1

f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256

dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512

2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
SSDEEP

24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2

Score

10^/10

dharma defense_evasion evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message B68BA828 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HL1JTUOY\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5VY10BSW\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KEQD8ZAD\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\66RFTKYZ\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M221U1AY\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OQAMAYIL\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NNULH633\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	CoronaVirus.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pl.dll.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\WISC30.DLL.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\WT61ES.LEX	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149887.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107526.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18245_.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151047.WMF	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152610.WMF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML.id-B68BA828.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2536	vssadmin.exe
2224	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0058A291-367F-11EF-82B1-CE167E742B8D} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe
2728	CoronaVirus.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	2456	vssvc.exe
Token: SeRestorePrivilege	2456	vssvc.exe
Token: SeAuditPrivilege	2456	vssvc.exe
Token: 33	2896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2896	AUDIODG.EXE
Token: 33	2896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2896	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1752	iexplore.exe
1752	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3024	2728	CoronaVirus.exe	28
PID 2728 wrote to memory of 3024	2728	CoronaVirus.exe	28
PID 2728 wrote to memory of 3024	2728	CoronaVirus.exe	28
PID 2728 wrote to memory of 3024	2728	CoronaVirus.exe	28
PID 3024 wrote to memory of 2436	3024	cmd.exe	30
PID 3024 wrote to memory of 2436	3024	cmd.exe	30
PID 3024 wrote to memory of 2436	3024	cmd.exe	30
PID 3024 wrote to memory of 2536	3024	cmd.exe	31
PID 3024 wrote to memory of 2536	3024	cmd.exe	31
PID 3024 wrote to memory of 2536	3024	cmd.exe	31
PID 2728 wrote to memory of 2776	2728	CoronaVirus.exe	35
PID 2728 wrote to memory of 2776	2728	CoronaVirus.exe	35
PID 2728 wrote to memory of 2776	2728	CoronaVirus.exe	35
PID 2728 wrote to memory of 2776	2728	CoronaVirus.exe	35
PID 2776 wrote to memory of 2020	2776	cmd.exe	37
PID 2776 wrote to memory of 2020	2776	cmd.exe	37
PID 2776 wrote to memory of 2020	2776	cmd.exe	37
PID 2776 wrote to memory of 2224	2776	cmd.exe	38
PID 2776 wrote to memory of 2224	2776	cmd.exe	38
PID 2776 wrote to memory of 2224	2776	cmd.exe	38
PID 2728 wrote to memory of 208	2728	CoronaVirus.exe	39
PID 2728 wrote to memory of 208	2728	CoronaVirus.exe	39
PID 2728 wrote to memory of 208	2728	CoronaVirus.exe	39
PID 2728 wrote to memory of 208	2728	CoronaVirus.exe	39
PID 2728 wrote to memory of 204	2728	CoronaVirus.exe	40
PID 2728 wrote to memory of 204	2728	CoronaVirus.exe	40
PID 2728 wrote to memory of 204	2728	CoronaVirus.exe	40
PID 2728 wrote to memory of 204	2728	CoronaVirus.exe	40
PID 1752 wrote to memory of 2780	1752	iexplore.exe	46
PID 1752 wrote to memory of 2780	1752	iexplore.exe	46
PID 1752 wrote to memory of 2780	1752	iexplore.exe	46
PID 1752 wrote to memory of 2780	1752	iexplore.exe	46
PID 1752 wrote to memory of 2836	1752	iexplore.exe	47
PID 1752 wrote to memory of 2836	1752	iexplore.exe	47
PID 1752 wrote to memory of 2836	1752	iexplore.exe	47
PID 1752 wrote to memory of 2836	1752	iexplore.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe
"C:\Users\Admin\AppData\Local\Temp\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2436
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2536
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2020
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2224
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:208
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:472068 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-B68BA828.[[email protected]].ncov

Filesize
23.5MB

MD5
189f1ae6f14ad16d9d86212e2b65a56c

SHA1
45e0d2ee56034f22539e8a62eab757b22f836792

SHA256
f392eec634ea8fbdb743feddea1f675ee71286a77ec2293cca10e10981815c3d

SHA512
6803a7526557ce014e0b2816f4a380360b7ad1f7f783b67ac6ee978a0614dbecf482d52c5c45276b20238b2781374e1c2eb9512e93095ef31f0ee7affc448842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2b0511d010e24d33b898ead2e48b4e8

SHA1
4650f38f0a42cf5e214713b3f40db1b4a30b2e32

SHA256
2b6902c12a3855008aa85d095932fbd01b313681e23caca9515315e3b2d133dc

SHA512
7cb3f1b8bf5220faaddcd27eb5b3e7b35a5fcb7bda9c883074ac1315f9ef2867431cc8dc1149c9e80731a6057c90a4a94ce99caab716708cb19056c28b130691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2610ac4af98b44b3a854a69c78b899d

SHA1
cee568e039c23070f97aa898b592eb473a4d537a

SHA256
9dd8a6560aca8a296c75284c9af4f77af13268bdcba327e94538489f6afe7c6f

SHA512
bd709c10b13c7daf9527c8c10825ea7717cfabeaa92c0c5c5661d7949ad441b1674f5de4ebf14a4ec47c2726497550f7292c6ce71479f777d11344cf49b0f68c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1c7019eeb95f7eb45ea26ea228f8840

SHA1
a4d255c94ecc87c1dea07af733c91c56e5896980

SHA256
8f14fcc2674cbe56896ddcfd1540c219161168b4bf7d45bb92a99da55a360028

SHA512
647278ef2f8c899f55a3a8f13713538c31cf4a4567e6280570390afa0a93dd4e2806b1c6fb0f9c1629e329bc559b97fa7f723cae5fac741da919ae4205b38015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30636861cd4105a298cb0bd23a60ac14

SHA1
10a0b97131a57a995ac45d04a3e1b3fd25668440

SHA256
58ce3dc9dea7e4bce0edc316bf02bab1fd27b00c5fbd296e930b4f23a4c28d7d

SHA512
5309223b5056f867aae77edd21e8d3cb36b696d2933f4b84e7f638dea1fb9542650ffd744e9bf60292401e8b015ee20de77dbab5092e2ff1880b66292d135d75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c18ff0838b371ad9cdad8be42d0acebe

SHA1
aa2bb4d90c8b849fc848cc142214d0f1d9c3e9d2

SHA256
ee2bac9a48528d364e8ac6da3bca5eb01b6779818d37d4a48d135c7c5e30f8d7

SHA512
d5b99b2f0477120da36a75b49e5f864b6f84bd4bf7ec2ba29527bdbf9ee39c439dda168a1922ba28408e66b5285744e96344a2bacf09cc9deb9b49114a432871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b45339f00b8faa24d0562fcc83deb8bd

SHA1
a10492c46783f9d5dba742572e9af1ed28ffce46

SHA256
2cd8b8cb7cdd207e6d02b7c4544b91a084570daa6728d86a80e89c147fa9bcbb

SHA512
1446e0b4f07a420ca4e942b64ef298bc28a977bf077cd874523ca4602765cd7ba3c6f261fdec5871497c18f08746af94d45a5e219f201bf1a10cf28626cab429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
52e16e10cc8726c4083133707b492642

SHA1
d47d6d64baf169f2e1904f992ff20eaa32bfb45d

SHA256
6232fe3581917d4286b46bc60e6fcfb7332d1f0db4c09cacc7b4ec3940681ca5

SHA512
f6c37bfa22dc2d295d213f1fdf7c3dc32b448d1e29267a77bd69c19a511eb9cc13355d25db0c29d3d760a1e8aa3651a49cc8419194e6c02b26d0605730c44e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F85.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7055.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1PH8ZRML.txt

Filesize
194B

MD5
66c13fa004dd620c6c2107d2c4d5db34

SHA1
68783a547e36634018d72d7d060e99b2865527cf

SHA256
6f2d7e7ea72842e9532492f9bc7c9a1dd9a5b28086360706de267df63c12e7f4

SHA512
d91ff7c320a7f4f4d210af20285403d5734ffb4ac61f66b993d8ce1d70c789ba182af1fc7b139a4c70eb67fb306e93c441a26119335edb6104a3afae118e88e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
e7b2de9306b0fd342b9f000f99cc32c7

SHA1
b595b5f127ee6716d57dd09cf9613d1f82f3ad9d

SHA256
46bb57b6cb73cca88349aefb4b4d25b6c08191345e59c23809e3194761e9b00f

SHA512
4b8169dfbf8615a5905bc2581649c2c1f659eee269187336e91f5084947b7ce145453be3003d26b30186ff519678e779b4a379c972215285fa473d00f1b848e5

Download Submit
memory/204-20224-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/204-20222-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download
memory/208-20190-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/2728-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-10476-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download
memory/2728-229-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-2-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-1-0x000000000ACA0000-0x000000000ACD4000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads