Resubmissions
23-07-2024 17:59
240723-wk4grs1hrl 1023-07-2024 17:56
240723-wjg75svcla 1023-07-2024 17:55
240723-whgvzsvcjg 823-07-2024 17:52
240723-wf3pns1hll 823-07-2024 17:45
240723-wbtafa1gpr 1023-07-2024 17:42
240723-v97eaavane 1023-07-2024 17:40
240723-v8625a1fpm 823-07-2024 17:39
240723-v8bafs1fll 823-07-2024 17:36
240723-v62dvs1eqq 10Analysis
-
max time kernel
104s -
max time network
99s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-07-2024 17:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10-20240404-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 1 IoCs
Processes:
CoronaVirus.exepid process 3404 CoronaVirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-873560699-1074803302-2326074425-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpResL.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blushing.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\PlaneCut.scale-100.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat CoronaVirus.exe File created C:\Program Files\Microsoft Office\Office16\OSPP.HTM.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Spider\spiderassets.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_24x24x32.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_24x24x32.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ec_16x11.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3416_32x32x32.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.ONENOTE.16.1033.hxn.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Hud\NumberGrid.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\angry.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-selector.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id-7762CB42.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CoronaVirus.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 22464 vssadmin.exe 22108 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662301606578030" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exeCoronaVirus.exepid process 2660 chrome.exe 2660 chrome.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe 3404 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 2660 chrome.exe 2660 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
chrome.exepid process 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2660 wrote to memory of 2996 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 2996 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 3020 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 2116 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 2116 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 1420 2660 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd724f9758,0x7ffd724f9768,0x7ffd724f97782⤵PID:2996
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:22⤵PID:3020
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:2116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:1420
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:12⤵PID:5096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:12⤵PID:1020
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:2304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:2744
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5316 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:4304
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:3376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:732
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:3736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:3068
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1808,i,5299211652971495055,15787104265879353151,131072 /prefetch:82⤵PID:2008
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3404 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2416
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:20396
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:22464 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:22988
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:22516
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:22108 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:22908
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:22860
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1660
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:22240
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d600d0ff0b6642368521d1d735e02dd7 /t 22852 /p 228601⤵PID:21540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-7762CB42.[[email protected]].ncov
Filesize2.7MB
MD526a402aa8c7d763c285212e66cc5f2db
SHA120efe0a0dd35fc7b584c65b8f8bd27c25bd3791c
SHA256a1d9d47105a60a7153c0969473155f2862fcd2d483a33b73835ede2ea96a410e
SHA5125e9a226de615ffa316dcb8f0e8ad356f32ad1b96a3496a0084d2efac6f67908fdf0c5d963f85a985714596241609b2f53d722280f7bb4cbc221f621e0c8f9a77
-
Filesize
4.8MB
MD535c6cc1ca6d58b2e9490b623ea89a484
SHA1c3a335e7d5781ea6cce4885ea17e7fdff02b45ff
SHA2565f7bf29d2e537246f681da2cad7668d08c0625eb890de869c509d1a4306cd9b3
SHA512c0124b44a662f2160d10bb8d086a19ec6615be4dc93ceb994d007aea2cee3e1fa47aa47c3a44f50ec495e95292f6d8d2fc0670645c88ada1b93f4539875b1142
-
Filesize
2KB
MD55b05269d569e8862f05b56135eab967c
SHA167b138c0f5fdc4e7bd989df3a5d4db6252ddde61
SHA256376f8f6dba9dd8f67571e90125032f9de7859c8d54e54a474f560ba9cc6d8380
SHA512b5ae99c881a4945f1801e4a8d85e024ef1f74f3b63226c30dd0ee32e07eadfd9a1c61eda5584082f916dd13a3e89053f08eab72ad9a701182959d7f8568d1177
-
Filesize
184B
MD571042d18652543ff029197f7e1b3c5b0
SHA1bad330fed5a0f129586077a3a5066192f67d1a19
SHA2563801b2a4b45dc50e5628286eac23203279dee142cf6811d5bac0320157e764d6
SHA5126566d0d708096303369ef7e18d4fdec2bda333a178faf08366608085acefc1d90c3153ee5a174bae7a69b144dd57ade4380d9c93acb10899055b79bfa06fd752
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8da46ccd-da27-4500-a70d-e40ade4ce768.tmp
Filesize1KB
MD5e85429085eb35477851a8e3bd221fc73
SHA10fbd94bdbef40e42a61a19896686538ca1e5b7f6
SHA256f7a0b5caa37067140ae6a23a5293d24e1c85fd4e1b008834c99d0338a574f827
SHA51217ec0204cd26bf25c05e6ccd16cf53d787d185be71699dce58f05dfda4a21463b69a64e6ccbd12298fdd343c772a07d7f9952211cbc5615289bc35c58503b680
-
Filesize
1018B
MD595ea431b03f30360f0a60eee1b641f8c
SHA1cccf8b912e9f325dc9c7bed9c0055688073d4ad7
SHA256ae506677c17212d0931300c258b2a7ca4216b15336e9b156a9d00b00cbcbd6cb
SHA512c3109acbc743ad25c7beb536b1467002aac271018b01244bb62866639c5cd58f1af70af468f46ea319392412a3086337277c353f82d5c405635c95ea2950e72a
-
Filesize
1018B
MD531a7f4471e8a10c477933bf5266808c3
SHA1f1a5281437f3b131c3b7f304a8026b0a1325bfb7
SHA2566500d0529633071b3e308ada59b03691ce839002080f49a1b7d304355b9a1e11
SHA51253da556a7277308c7b7456944632c209a87adecca351fd1afc7afb135cfde79b2b62d3ecdf25a5f2b61ee85a1047689db2c221a9e8abd371f1596d55ce69c761
-
Filesize
1KB
MD550d0c819f3e37e1171c6304582a93b2a
SHA164c1bef4a08b81f2798c6474b46ddfe5f9fcc65b
SHA256f503a900cb6f8b63f841f72624d32bd867982e96c533637fbe9543f4ab19bcc1
SHA512b85dccc48c3872faa9d5caa15875ba62d82280bc258b77b8bfdfa6fddf39840e5e764b0ea78b60df12ab346bfae57f6d734368a39073d220abc2b955e764b6d5
-
Filesize
1KB
MD51f1fa77995d375b15814a2f355421976
SHA17c42fe253f45623158ce5a29496e7c64b4f70654
SHA2567443c31966a917ed2120d58898d71fd4105df4cc072f5fb82ed27e4c1e88f214
SHA512cef95a8893a3fff6823b447fd5330362ba29526f1285800bcef66034f2b44c8ad6045856b2537eb3c80105396dc070674ea860685665c39d4f3c3c0d6491e0af
-
Filesize
6KB
MD586628cebceda3f92d1c0f35923352568
SHA1fd4807446d4935f802d32907293e763be00ddec4
SHA2569699fd8c32ea8dbfed07716504d7f8839019d359feb01ddfa68956fd10955c57
SHA51200638718483ccbe7f9e3ba9d5052e2f45e7d5933726218d89ff69f3470bbd27c4faf8322d8eecc39219cc7e0d6f9fb19ddeac850922ba7b503b95d9254ff9fec
-
Filesize
6KB
MD552960f96ddb2b7407e9e23e875cd490c
SHA1082e5418ae53cf9325fc38a2840e71d5937174bf
SHA256f32fd88974a939958645deb8df23d628d3848a53e7265142b6bc010cf1943736
SHA512d9f27b8e62fb05a3092bb258db5d48c62c37cc338c8ee3d479712c227ed898bf9ab333d9ae3b7c20fe970c67b738a0f33a37d642c359c2fdb2fefea10fa5e1bb
-
Filesize
6KB
MD56069782852ab15f8db76c7421202e973
SHA1f6a3b7e9c8b07ce30dae95462da65c8998c6658f
SHA25659a47d683a3ffe8a98ffeac8e2de643f7a2857b920c1c81a80b7a16f203e616d
SHA512467e907d4ec6544534e30a8a408b4ecfddb09a8ad3679ca5ba7d8c5b951e5bb4adc71ce4df7c8a9cf8e1fdcb97adda439905275bccddb5eec8655f843d591bcc
-
Filesize
543B
MD58d4b8747d4bc03b401b6dedd643656b9
SHA13738b75726cd2c8688a38f448bae67a6c6f674bd
SHA25685618ac1b74bef204e49571e189547e473bd9fc4a63cfb11ff9aab3d949b2ba1
SHA5125db5e29d021f78698fbc71db8b9c38d8ad5aa376192608672eb41538a5c39d120a2c49b3bbff312faa12eece2e24be6b9b266cb995d5adb004344534fcb6d298
-
Filesize
136KB
MD527cb1d40622ff5a880622d8a6c6f1fbe
SHA1de3a54cc895e21273a13bc8b416240ca1bbd65fe
SHA2565b2142b22c2339ca1e23cbfcde890936863fad148a204be161c34a9e4331611c
SHA512ffaab088193eb743e413055b23c2dd97dc5d226682f9be9697a24f9d6e7cd055df9aa552b057f3b58944078f75c2c7794ed0dba948dfe46065aacdb84283bfa8
-
Filesize
136KB
MD51fccec61359fa736b9cbc94ad2a29d24
SHA1bc10e8814ebd2854ecb10a7450d3adb452e54347
SHA25697bfc5aa8227dcdc7b2b569761165c4d879c40e6d57a9808975612527d119db1
SHA5122020daa0a7e7f9059ec2e43d1cdf02382ab373fd88d0d233c677774763181b43b7931ba8e98ef16168c5e8ab2538b12ecead5e639f692e53a3d9a6a6044f0f21
-
Filesize
111KB
MD57303fddaab149963b94d7a9d55553b43
SHA1f334219f4c5276e9678ae3ed62b2809b2c9c9c8f
SHA2568438f3ac26a41941538b6b27ccda4c36647ba8f01fdc3e89038773978b6bf438
SHA51267311f0e5f02429b8fb2d6378bc28c0775e55d6bdf1ef15996124414c155940b5c9b3f06cf448fe76d49b00d11162ef6a2479f41dbd6f5857e5b7f14a350c4e6
-
Filesize
98KB
MD51889060dd2c3833dae0d79ca4e322154
SHA181f13759325bfc9e92c15fddadf908a0a8d918ec
SHA256ec77a058f3148a1430f0b3e052788231c6d2d3ea9244ce4dc50b2608a3712333
SHA512da83562e5f1df52cbb04b4511fcdfac7b036b367b1fde5a61ccbad3af673f28af5f777b4037fc0dd7955ed1854517c4954d2408c450e581c3da33f17f80aad41
-
Filesize
264KB
MD57282f191d0497ac10f934d4eb5c884f2
SHA1b7ace45cc6fc83b5405126c8994d0b356372de38
SHA256f7ec56341b32a356a3e047a385db3a4435205649b552ca0e062a68fc5a3826c1
SHA512325b3c13889e5b0e1247a290c0ff89362c8b9c6467485162fa406146bf00531a35ba7d081ac10fe9b2a6a496e73b33d15ed3f4e14b163d46c88f9b71ea0fa28f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e