dharma | hxxp://google[.]com

Analysis

max time kernel
556s
max time network
557s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 14:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

dharma bootkit credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (523) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	chrome.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe

Executes dropped EXE 16 IoCs

pid	Process
5636	CoronaVirus.exe
25356	CoronaVirus.exe
10792	chrome.exe
10796	chrome.exe
11056	chrome.exe
11332	chrome.exe
11496	chrome.exe
11604	chrome.exe
11624	chrome.exe
11840	chrome.exe
12192	chrome.exe
12344	chrome.exe
9824	chrome.exe
14284	chrome.exe
15784	PowerPoint.exe
15864	sys3.exe

Loads dropped DLL 12 IoCs

pid	Process
10792	chrome.exe
10796	chrome.exe
11056	chrome.exe
11332	chrome.exe
11496	chrome.exe
11604	chrome.exe
11624	chrome.exe
11840	chrome.exe
12192	chrome.exe
12344	chrome.exe
9824	chrome.exe
14284	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
190	raw.githubusercontent.com
189	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\91.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp100.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.a3fa76ae.pri	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-20_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\AddressBook.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nn.pak.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\PSGet.Resource.psd1.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-400.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\locale.ini.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\ui-strings.js.id-A348525B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.id-A348525B.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
22968	vssadmin.exe
9300	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133734766778075358"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4840	chrome.exe
4840	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2088	msedge.exe
2088	msedge.exe
5388	msedge.exe
5388	msedge.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe
5636	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe
Token: SeShutdownPrivilege	4840	chrome.exe
Token: SeCreatePagefilePrivilege	4840	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
4840	chrome.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe
13888	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
12048	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3612	4840	chrome.exe	84
PID 4840 wrote to memory of 3612	4840	chrome.exe	84
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 4220	4840	chrome.exe	85
PID 4840 wrote to memory of 852	4840	chrome.exe	86
PID 4840 wrote to memory of 852	4840	chrome.exe	86
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87
PID 4840 wrote to memory of 3460	4840	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80db1cc40,0x7ff80db1cc4c,0x7ff80db1cc58
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3052,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5024,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3344,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=724,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5164,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5212,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3376,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5520,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3408,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=1140,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5992,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5724,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5604,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5472,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5768,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5928,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5104,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5680,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:9824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5580,i,14204965975639405819,17412726226870691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14284

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdcaabe00h9c1ah4f09ha632h1bbfe296fe4b
1⤵
PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffff9e146f8,0x7ffff9e14708,0x7ffff9e14718
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,15705565412646962269,17294928903528135682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,15705565412646962269,17294928903528135682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,15705565412646962269,17294928903528135682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault48f55337h5f44h4c5dha4fehd75e805daa2f
1⤵
PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffff9e146f8,0x7ffff9e14708,0x7ffff9e14718
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,12099405616436525300,10502023048075608883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,12099405616436525300,10502023048075608883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,12099405616436525300,10502023048075608883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:5436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5636
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1008
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2076
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:22968
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:11256
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:13784
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9300
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:9244
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:16036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:22996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13888

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:25356

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:24948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:13568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:13404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
PID:12984

C:\Users\Admin\Downloads\PowerPoint.exe
"C:\Users\Admin\Downloads\PowerPoint.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:15784
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:15864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f89855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:12048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-A348525B.[[email protected]].ncov

Filesize
3.2MB

MD5
9eb7592a54426d7c6045a1b5b83d1069

SHA1
0a6b7b34bf292d1ae3ba86f36b58a075ff10e39b

SHA256
0cb20bbc4f4acfb0b2576c5cefa1c5b0d2e34637526f406788787c478d3dce75

SHA512
3354c10ae96522cba2562987e367bbf2988db141bef27d15e980a1e0f1c1b9e87ec474a0e4205a0a32a23738803a26b8a72bcca57239113a77482cd6c450519a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e49bc07fe132cd992856d975556f993a

SHA1
a029c7a4ea3557b61047ae9d26b198449a4bad70

SHA256
4217a5d8a861af246d3976ccbbefb56c16e1d4f369634d44376e6a48f8480542

SHA512
6a2c09f48948e33397aeb30a5ba1022e2934bd53d071ea29af5b6999d853036e1dd9ae91a75bdd24486ed392ed252a9f0710bfa972ecc599c1c670e72d5d3460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
421KB

MD5
e617a69578495180ff6393c1c721b1c6

SHA1
09350e4d4b4d0920213bf522070ff5d4490b5645

SHA256
d75273ca862cb34f70a9aa573a9e67215037b02b88684832c1a76b7df14292e4

SHA512
e1e4034bc4281a10160d90de292d4a580a589921336be8e0235a04e400167388ef910d3c7113add86859ce0c7680c89f278a3d72c42bd62f2d60d09e9dc60659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000046

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d77f8c7bcb2fdc73bd840f311a4b0d34

SHA1
fb9da47223fb43ec6e33c05b8a8834ba84a87ed2

SHA256
a4eceaf44263de2fffc70b6d5ef3afd21ecc0485785afcd6d9874f71e921bc49

SHA512
2bb8911f7becf1cd98c0058f5b5d47a18c52957df399283052f2e09721ca804fc0bcd5505d005d1d9f02b332a76e886927ff25dc0aaec7fd0bb4d35c4305510b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e19c1cc751a98df0e5d541b0c9d3f190

SHA1
36198ff41d16ecb4c28d0431e8b7cd94223bbc28

SHA256
47035ed841409c4861aa55ebe6599491ba0d0cbf8132a5ea6f40e5068188ad8c

SHA512
eb6fa8e110e4fe4d5744e24255f62bf6aa1372e86207385e31e432eef6886fcfaf5b80ca2764b9b653317723967580691d77547eee60774d24c775007db1c867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
51bef09562179ce8656f48acdbaabc3e

SHA1
f95fecb227bf30b3593093c82fe9f15e129ef388

SHA256
53d3a0894e336e56bc315eb1618c80a5b5286937610e5ca274f187a4a62c726a

SHA512
36377c8e1aa45cd46aeefaef3dc0503ccadbb904e5c641246dc07a36409fdbf31a8e3ef93f44652e8c914f841ee627e07efffc39e6690a3d92a455e24217a567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
db868ff6e4a73e1bae58ca36dce2cd78

SHA1
1250a7f9c484ae78d6076a5a95fc0d8d1243dc02

SHA256
4a99975f48cbf06f86ee2721cfe832633b64dd5c1ff50a3c9c8a84455f52610e

SHA512
9172f0b0068494e910b2f672b2e34fe3fc8b70e9c794837b2478b965637231519571486fe7b95dc82a9fdd4093d94a02c3ad52104af69606125f56dd3fdc34ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
16e41fc32a75596882a30f7681fc594d

SHA1
a5be1e8647ed0ba5d2989a86c34ccff210f8daf4

SHA256
43b8124bc1b58374c30b5d712dd564896c913213ed4949c18b955dd1a725a700

SHA512
d126ab5b624781b8a56834f1fde177a18de598c0cd9e755c6ac93b27284cca88e72b6b299725f2ff92e4b79fa75504d5d60cfd6995e93d66bb34373b59671c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ffe79351b5c40dd00a8180d9cca4001f

SHA1
d2845350a9ae0f39821b6cf4a7d1b0e197c63c77

SHA256
2edb6217c26da963173ed25ecce1ed9406f1871b29f028d9dcd6f6068cb20f32

SHA512
bf1bcdb6884b9ec43c7aebf7acead22860dc7a99ac4c3a7ac4e4c528036954de6560b8ce4f03cd973348d3bb9e43cbe34ad344bd94802e440d5c02f1d7083257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
668f5349403762f810f0852a0e84129f

SHA1
e7fd0e40c6f31afce7233ea44b24de12e47568e2

SHA256
2cec44dc338128510b6eda035ac33019ad1f6d8fbe94f65558e1c2329a9ddee6

SHA512
0b6537b86d9070120d3a174bcd98a01ca51533943a10182faa1ad41d5b692ec3f96eb4db9d91dc66c433d80a2ac793dd5b6eb16a3cc27feca075229379b369a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2c3ce8e80f35f1b1b5a2715fd21cc9e5

SHA1
4a639ce48adbca8266d8adbde13bab29e3301f45

SHA256
561c815ce32468a89ee45e8f0e98bde4d2358a8a84f5b9d321e949942c814b54

SHA512
6cfdd98d69655ff6f4dc26c2a7bdf9e1feb4eadf7aa0ca2bad0dd9bb5cbc078ad6983b2c5b848b3b9c28147bbcaf111c7882cce3d57089092aa42ddf340bf112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97676d545d06e24eee9e309ccc9f9f60

SHA1
e4b79762d1795895b67475f3000016bbbd7e8162

SHA256
d6682ea7ca12fa55291c7ea7daa53b5df7dd2bed2a0a885bfdb480b0b03719ed

SHA512
27a0d9b3412b28fda825acb7c3f8b05b0534523e22036134f68e0a0d4d01bfe6de8978bd851777ef2666e137ebb3b9539293f453ea9e9d650ac15f49c8b2611e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
72617360dd68f20285a00a9e491ea54d

SHA1
dcc4093b302abd9e6e2d36ce1934ba0eb49d2af2

SHA256
98471c262a4177407acbe1310d585bfccc173f97a7d16cf26ec2bc2c565d9784

SHA512
07274f094a18039ac6f76ba5af52d9855c0fcd8d2046f85ca2fdc7e08a57e19262e9eca626d6e8eb08ec2d1850b93655045194a21a1ffced5756b88b4896a196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b7017bc8d8bff38f781ef7e9eff1f2c7

SHA1
890b6a61cefedf1ef8835bf500ba0b313b9f7c67

SHA256
dfd20257a1995b41286e5cd66cac3e03e9da2e9930d69219950db3589238ed09

SHA512
b17bacedd4e922a8750da3d5d49ac0ae16a0d8fefdd921c23e08432e93f3c8dba01fd9692a0575e31c7300373138fb3fa29fec517917b9c45bc5885f08e56a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8042e393da829932031119a1ca1d13d2

SHA1
4fdc3057a9d8e19ab22787e2f1c26c12b8b05354

SHA256
47bd962799ba68e78009e45ec8860c15f2e4995c4db33d2ac9aae098551baf28

SHA512
fe5c5be69c62619ecf8e6f2d024021b47cc828072f9bba7cf694737e6435e96f2f15f1ba2bc6617e625dea485b4f8bb81a951fd97578971c2ee14df62f1d877b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a145bb33c6f9a64f4243da2d74edf020

SHA1
3c3316f76284e4ed7c832e08de93f7ea0926adec

SHA256
6f3c456f8993d7fbd592856f78b91ef279fecfb2b9da056ef4235be791312507

SHA512
9aa89b142f975615504529b2997af7e8361e742e576a008ef5857ce77091e0babcee34aaa5583dac79a54813602d799b874084d100cd76571d563f15b6757f9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
785c5aadfc912a50831cb6a4adaee74b

SHA1
84c80e204ad2e3ab7036d3a9f85aafefccb586be

SHA256
7876d26332cbb2e3657762035730f27ecb10bed344ef77b9cf60c28b334abc68

SHA512
ff32694b74b389d2811a1e100e9149d35e6739c8d455ece3c9c2cda6cadb3ddc91c900e35a1b3b80ffce528c26a75f069e22ebafb0d39a9945c4ceb4ba389913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
826796fdb6af07a7fcd3c41e378a8a3e

SHA1
143bee0f9c1c91fe488d89a4d14d0285547c57a6

SHA256
946bca6b9569ff65ee3763bc858ac10899b2c685cfdc56e9e708e339ede4e106

SHA512
aadb3b4c9fc9ff9453c9f007918b32c0e8421e9f09f922ddc08ec066626cac2f9379f1646ef12296eb0e28c165726b46e8cb46d006a09a54826066e4f94e909a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e378f0b153e9496cfac9a15d9e3cced9

SHA1
40232cebbe5335e4000f20ddd82f4d2cf59432b4

SHA256
5c293f222fa50ada54e852509996f5f64eee621fb7a9d45db52233985bccd3a8

SHA512
014da7d2cc0c380cf6289a87c480f58711329b1cadcb26107f9b8e1ace8a41d2a18d1cf9436d1666ef1aace0cd498ee5bf4f11a15c5d3170506920c0649c3421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe5fb81e.TMP

Filesize
1KB

MD5
2178a6feca5f959a936e40462a07aadc

SHA1
4b0eb38d629ccbcd7896c61348b2194d42fe06f5

SHA256
a63f192087cd70747a82c0d0de13c2326cb1a9866eae48e6a2d20a924611220f

SHA512
b4a36ed339d93aa848885bb7cd938b65c9a472ad9006815e5bd78cd8a69308823b2b27113229cce91126d0121e4097c243b9dd2db6154b99ca05261d509a83f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
93d5dd5ce3f2d36c4d6fef77a60509f3

SHA1
5c9afc9bc85ce0dfcb4f879392b4b2c9b92ab937

SHA256
8922bb5a745596901e9d12cd4b46889d3a65db7eb20115ff66280355dcdc0d3d

SHA512
8f40d3e96173818e30d76579aa321e531ce1f2210ebc6fb988f8988a821049f5a391a6beedffe38b676d1da419a1de464d6be46eee7af5cc43ef725c13b5a3b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
60d2d998ca7c7a1e0f45d5114a2cfe27

SHA1
b5aad494f82b84ecb91d480abe1e5a3956458a83

SHA256
e8879fc0dfe46db783b137eee57d1accd3ad6c467766fba7319464ea33c984f2

SHA512
09ce54efad7fac4296cf801ea050a4d3dc4d4879eb063465f3905723b1bd08e15da40ec011106f75cd2c36b304af66e052d80a61dd6c743ffb728c47992b2702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06f127b45dda2977279947e35168af73

SHA1
55cefbbfad713b47c8783b39ec712e099537d510

SHA256
41bc5a2599b872af666d9a9716812d2d6870b4521471ff9f09ac4639f7aee235

SHA512
e6ef07a2221b52a809a434e9788836143d8bced3ea5f64cf6a2a4daade293bebc6490cb4afed476fbfeec8381bf27d861d0952a970c8f92a9d95fba5c148f337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c025a016b5ebdf941e6ffa314019be7b

SHA1
72ccf29e531c92c735a011596f6229a0b3afb800

SHA256
5283d69f72b54f461dc0868d242095e0447d41d57e8fb7530b023f43437de0e8

SHA512
91bcf1e63e7ac098a39dd3b7e800a164646d9ecb9f3cdcc862c78fc72e0a3667a69bc8b844f7e00c7c0f4a625113e39d121d482f77da31bc20f4b8cbeafbf9d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a2872bbbe86551012f04d9eee4a5d183

SHA1
6415e482805d4e740b40192269b3432397ece321

SHA256
074ab621b5dcdc7269802c01b351c3a58b4f7c4318e4e5742ba964d7d2e0665d

SHA512
e852356fd4e63ba3eb5bc877fc6831dcc932eee3558448b7c3b2070cc3089579a2fa0d17fb7f43ac876050b8ec945c355e62250377ba65b483378854778c0ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cfcc9077a89b0a0d6366043f724fcad0

SHA1
a9c155bf6846e93578a51e614e7499e5e7843316

SHA256
acb404e5c7fdc8e7af2f3ee083b647a265983dbd20c2d7a0fbc233748328f0a1

SHA512
64a71da24b27d539c21327f14d073cece78d7e6df2f4dc3f2d04232f52ecaade1289826feceb53a5c9c0041e7cb63aa535ccb7ddc2a6d2460f74a5032216b09d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
56900cb1f41fc30eed55edaafe01bb0f

SHA1
a3bdb20111bcd8f15b716a3142819405dbc7fa72

SHA256
d3c4875a7938d8d3682cf296bd5801f67f5e083cf2750c64e0208a834f2ced7c

SHA512
7a9e079eb718106274c38642b26f7597ce9a1b7ba30a7148ae2dbfa35fe92efe32fcef0e9baa8e05afce8f1a9e1c61b23aa95fab67e58fb39eb1ccc00da6106a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc2a5c3beaa38badc1f58f1d83da13ca

SHA1
c0ac479993acd4fac4934c9fc56554f5953097d5

SHA256
f5f7bb742cb6a4f4b51eb7415ac17355704e920bfa7efff733f3a75c27bd6134

SHA512
7d178ae35f85dc8153f3c45c4423e884c29cf61ff40c6c75a0af1d7ea772e613e384dceece8ef8423e383204994cd83862309deb288b1ef7d0f2f9a98fd2d496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
938ea4ad04e164146a831afb7ac79a4f

SHA1
808c9c8600123c78f7154e7a356803528de7cbd1

SHA256
b5d1a4e1ae335a6f58c4ac4b01d5136e7392fe24356a0665016b220f47344e93

SHA512
9e353c5e75ace64e273c804fc47e2e1ae2901aa845315646eacd9a76ae95035233e641e7aa27ac3a3601f2d3b4dcec9786ee2b53cbcc2c165fdaeb95676a12a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4b5854302c01155e65fa4a6479ce6074

SHA1
7f3f8c13dc119adf8fd747f31ace1b4dba3c61f4

SHA256
d3eff85755abbfa247b880941ccdc0865d70bc7678bb3af29c6f00dfeb283a75

SHA512
f14ac17226de7f8aff7ee732304a4e57519162b42abcc9e009aa296062f7c5f0efeb5fd10debed1c53fc41504706d38d61a08905762c8d35988091409be7792d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4086a318f3911fb32fd9c326fc9af51d

SHA1
0fb52e7f2df8e06ab6cde884a89833023d6b2dad

SHA256
f07200cfbd8c207ccca481eb2511d0c957b6ff6fbd4fc3a6d89f6ea8879ca82e

SHA512
f0a746f26e7a8df8f5a8c10fad84bae63b333f2ba58ec1af99e978c8f2c31f4da792eec5073b704e1a4f9637dfc8a5512e8618931e47231aacdec718a77afb4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4dd55c445b830db52286b50a69b01ecf

SHA1
14428439ef2d24fe318845aa8b9aa55342b7956a

SHA256
6deaf1debccb23b480b8ad6b330026a434f27f456a0c5f2693e33bc6c6b9630c

SHA512
069003e278007ed768d5adfd21674b6f9bdec09d3db695d41d9a6ef3912aeaf6d093035bfae572fc560d83e7adf25b37972c88fa92c7743360e93a1e6b3456e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
38a45d6d2b07693b87fe3f522022f9f6

SHA1
edce3c0d757a5e1b45593f928bf413d12a6ba4b5

SHA256
da298c717d0aa8e3658e6dda4fc7c444ae9f6c046fa2daf219dcaa2adac66027

SHA512
50f3f880e6f454669f5b0702a4dac452bcdd4f4452635e441f02fcd3da8a4a0e34dbab07c84d4912e31bada5b8bd865d13937f4972eea0b6382c187d90d47be3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79d1154f29c699c0784f792ae6c3bd66

SHA1
4dce7f0c3918539e65c5c04ae994289d41dfe711

SHA256
ac267ff1dc5309b2aae5c22a9e91d1f6c9e6a7a3c07e1888469e427ac643bbc5

SHA512
58641ac14e746f3b059666463ac1838a210f63d9c1f6190b5e7d172d8a85fa33de7b09e82963aa80e8313718e48e8f0d285aa66765216e842fcc066bbfc291e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9bce6e9aed3cc1ec66f3c3554951e72

SHA1
0f0d8f85108d8148254d9ab2730039cf2c973cec

SHA256
77834c2f0096ad5e1880462ab657dfc2dcd2ede9899f5df8fdafc7bfc255d304

SHA512
7607b2ee4578d8a8f3334c247277bbefb9cfbdb4797988b2e19b321296243e4448dee47f7bfa33b191b48c2ea721e7b688830b5918629ce704e2f9f8a5a8473b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5ee317280691f75516b9243e41e83bb1

SHA1
49855389fdacd4aafad68f7d720937ef9a3a2e33

SHA256
3672275ae674431b6bbd83e1712b3ff6d430e6a0b5ca47c35eed3b1a7ed95219

SHA512
697a9b073f2a504e8bcb25386fc35f25921d42e31519ea382929b988fce5366766aa41be0a6b8116a7ba58a76783a7185e93c5ed8ca4766222d6eb5e09742fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f7a5c0dfbef3899c3540a9777fd81585

SHA1
330250d7b358101e039b10598630f3ca288fc3bc

SHA256
d547e7e25b501bbd53149dddbc62e537c0eb03cedcc6491ce2545236c69fa713

SHA512
230c3031a3320b3bd158baadb95a16d8b35c26abe7b7067c0b76438c70dd2eb014a29bcdca9cd075a5973c93ea9480cc4b0d4bb4f5903b3c8b92f0055c845bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f8a5b66bb94180bb996aac30ebb45fb

SHA1
b4bcd946302ccb69dfd692765612807fc464f51c

SHA256
1f1b6b921233e84889cecbc1e41fade1be16fc5de18998b20b8e02b6dea9c7da

SHA512
9f5799263b2d6064abb8781b52225b4a124bc8a4647694bfde1c64879d3e0e51d1ce9f4a1758df144a394f79e5048a7505c816779104897697a312605530b4f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3c77db4dc2513f650da2b84bb99e3be

SHA1
7971a45b5d75cf198492f69f1e948a8c450563a9

SHA256
7453edbe395b8f946744a3ba966acf78955578d24965bacd491b126cff0eed79

SHA512
fbb6c780778d401f6fabe26f5500daa4e89096aa225894040b4b82383e03b83461fd35c40610cc51b01c06ee077b57af6b042bba5d21e68c042b86f340a993f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
393c12d2e75e9b2013079a02505b4bd5

SHA1
1dc61b9316a59b547fe05cda4beb2831c1ed4368

SHA256
adf940a0e475d6a73b2b1d5740d4b70ab91b0d68da1470b1822e8111e8b8a62e

SHA512
7d47e6d054867891d4de9c5134e0b2055b723d74c576a0dc058afd65a6f458aeb31a481a7d456003d779a37f851be74de1ee58f770bff65bfd0a4bce20181e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
62bb3968a012485b9d737bfa43b45361

SHA1
726b79952dcab4e3b7193bec91a73a2ea02a6186

SHA256
2b8845b794db64d04fc898a5fc33c0da3f780010eaa3d07af5e5d940ae120062

SHA512
303b2e54cb96641046f6d467eff479b29da3fceda56cc71a3d4d1c2a14e95fae14a0d73e9d48e9ec4b6b8cc8fbc79f77b9f14dda38104663043a9fddea036b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
73916010bceb9092cb069fd4d3b7bfa6

SHA1
145badb166a3a00712025bdcfa45460e2e298af4

SHA256
886e34d78cd63307c66a0606615e03467e9455335e911b1dd176776db541f4bf

SHA512
44f437d3458f2ccea8bf7d8f2bc0e3fa0f1a74041544837b6a96d57a1ceeadbfe962f2c4449f6bafa21d0887e7cc34e300a9902c1c2eaf1fbdb7d56db1a6b103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
462c88be651fba4a1a8f737c19feb280

SHA1
ffd1c77a8a9e73b24f1d1dcd1eab63504dbf7fed

SHA256
92e9755efa65192558254845c4498b930dfd46eea93a420ec51bdb5f09923c6f

SHA512
fd8e278771259de1c68d115db4d460e3a068eba7da62d7081e02e94a62ea33a086215ac41e3ef58a07fbf6693e15c634ea868669997f1dc7637efd172c1b0961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6a978d258b03b1cac13c3f420b5a2cc8

SHA1
fa46a81001ce3506c02340f0737418f94eb55c3a

SHA256
285a5acbe01f6376ebf1b3be14df9c4549a841597eb2564c53986fefc73925e4

SHA512
c9f6e98a35f94ba618f044bb43b7f69a467a6dfd76d702224f258fe42bebd984380999080b80def25ef0d2f0c44e02f35466ca2939639baeaa645e3a3a5da5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3e259310408fea8b2df5b9d72ad6767

SHA1
0f33221f40557f5f42275cdfaf52ef8cd04eed32

SHA256
dc55859053fedc4dad4e7180cde0ed112758236f016cd09cd818ebfdd5d50338

SHA512
aa5d93a4a9825cfb451609ebbf0d52e9edc08ee2e4e3f461448f4a989d5fbc778c42229b61ba4629694a8da882b5f9630dd5073e6d4c2d87ae8bab35314ab722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa68f242823f674995f25da23b576d28

SHA1
ea19b34f2cf2fe486d6ae5d21a69a4589d68e9a3

SHA256
7f5b9205c16dabb868816aacd208b2e0248a5b2b1444a0385f6c58beed69be34

SHA512
c09a73155cca30135b730569fd3265850b1a92978c4ce6bfb05c77217d1cd3366c00fa4525cc2700c305113614b3525d543ec4f6374a2613ec4b36d8247ce99f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b89014dbfb504f038f1a5af133074d2

SHA1
5d90fd63f9c460a79d9da54a14b02789c3e5bf10

SHA256
bb884cb10e90241eb4622ae7976e3a12214b433409c3efe6baab39a8df4e5102

SHA512
96345af9de52bd9e01e376d080dc91efb492e26a5be78ed89a78d9f1a3982b86784c84bc1184e1126bb2866b1b2a704faadb02374a77408a4c22c131be4f9234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1473360575a615cc11467e8aa6fe7144

SHA1
dc0e001af2ee1ead9d261978248e24339a0e353b

SHA256
db15f84b80e87d5c56212c4d557b41f6424c256907d678da26b1071172f2de94

SHA512
2896f0036bc0e9e402eeb4165f651841ef8fc5dc2bed37f4972cd7156164ab8bf7986a3d238a15b31f2d2c9139df559298cd5b6d19a7058268ae2a214d7a6a42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d264dc98236dd75d3b1eea3295ddcbb1

SHA1
1767b2811a5a165a36d34da9573129d736260638

SHA256
99af965cacd99f91a01065e48cb64713dc88d0174a583a226eeb6570ea1450f5

SHA512
b25a2322479c5a5d1acf33e6b48b786d72787321c3a59cecb33de86c63aef7a36f4dac1b461c6d75e2f7b05759fef19d22c78d10a7934093deec22f7673fcf7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6359181db1b3dc670dd8955fa6c0e1b8

SHA1
1cfad3cf78c6518192937e89e07907fbdcc86dae

SHA256
c1399112b25ed9c26764ffe686460cba5acfe163d4714c84c36f0d1e9bfb66c1

SHA512
d2ab3c33a833a6382b94d06019ea2da637ce086ffae1d7b5b0f061241eb7a61d9dd4346f7186b5cf474c46e67f1fc8a99cdb99c4900ac3e643b486c4727589d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cccf0f08d8778ac0d29c50abe3fd5808

SHA1
10c827cb4a3b45fd5f8e6c49d0999ad511def3fc

SHA256
fb64b7566e7e19e7ee3970d3830a106eed8ad4b5fbd3cf59506b73bd546c5170

SHA512
34bcf306ab249781ff56e82f714da84f89c672fc4cadb1a2613f95a5b2b33d6551b705c9464209bcc4d9cee3ffe344e31866d2f48e5551386db59da98354bf84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
237be760c134c89d0f32daf356eb01bc

SHA1
b76dc740772f973e8671b41fe56976871bc1dbf6

SHA256
df4ea9f22f7f2efa361f28015e6e13e66879caa3f199b703b85a9d129ca3db7d

SHA512
24c128597f722795f3b40e0438afd250e7a32fd8ee1098fd763b79c5caaf5429b833331d6679fd7f508c9d9c2e945123532df539c8770564f6859d8346d06d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
550d462a8b7d22e5663f424f35ff40bf

SHA1
9effc9db0fa1701856b0eeb35433825cca872ba7

SHA256
a5ca17d6e5093cb33424d9321f4da2c143e3f12beed9c58941569b3058091ae7

SHA512
174219a980ae12d6f35af2e8ef0f9d464479e1d2cccbbb582b4a3a55fb4e9e71fa45df559abde9daef749be070e15fa0c980b53e38b5e3a4a53ca5297b173acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c0deab57edf36b8efb0f859af75b8f1a

SHA1
40279c6f890f05e0aa936225d3febc5d85dcb65c

SHA256
02bea25ee356fdfa561eceae7add9fbf5c87530f31d260981a17bcdb21a906de

SHA512
778e8a5ebb3377d1b7f9c8b6002a8828c935a28d9a38d7c37b05ebbf8f82866a77a2df629ba6ec842298ef696aec01a7af1a325732ca574b8eca2a67e2a503a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e1609d349f840de0515fc30d4d464768

SHA1
631a7c588b1b67698537dc4bed45c58776aa44cf

SHA256
c353570458f57e53d7db24f9490ed8d490df6239df54508184b5d6e154ff1f99

SHA512
0f60bc8c6b2998977609d63404295ff3ae2b4724ba256458e2563eb80642e15b83a0e8ac287a2e0726a72c4b11d5f95cd42bfa6adbd367eb8fed31bf640375f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
233604b82283aa2dc7c3cd45b6188ab1

SHA1
dfefa954f6f64f2d3713add257a52e1ac1e09d20

SHA256
3d6726245aa25130cb7d3b3bbd249c2ce83130aba7a53d0253d19ab928be5039

SHA512
24e84c917ae1d49564f2834e6c0ddc0171584a1e30b5bca1da8a693d240b167bc1d074b0f8da4866c8751980f81854088a20a8a75292c204ca1fc76b17177f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5cae1a.TMP

Filesize
10KB

MD5
d5fad175a11b43969babf3686bdfd658

SHA1
9df1c3424d65fd2959fda1c7acdc59cec8f5cb44

SHA256
f50f316c842e002fe53794e504e02443e8d2384ac12f295a3a294d58840e72e5

SHA512
886983a500ec79a1111a1aae6f7ef01a6093fa1de9b3c4757492b0b5141b6af9898b8fb428b3b391c0a8d1f7951cbce545e71682002924b8e54751ba37e8cbf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
00c05fbabb20fa921fde7b15e53d417d

SHA1
42ab11d42e4602ad3efae502f58f1995e16cf4d2

SHA256
7206f42f52a3c5cb24f896d12bc44b2bb220b6bcf7b6028921a05d828e9c76a4

SHA512
454fe8ebdb546ad83fabe130170a0a04ba80f1229ca738f0532c122016cbfbda058c624cd028c949c106fb34c75142976cfac3d7477ae6363dd2d8b1a78744c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6025ad.TMP

Filesize
48B

MD5
c6ed4beca472420e4ca8073698f5591f

SHA1
1f429dac64fb8660134e0fee5c68d304a6494197

SHA256
d5e498272fb3f64723220c77a6b2d373bc23433a37e9882d99dc8aba321779c1

SHA512
ba0f3eaf9b1ec12a23c4cdd7aff528de7a0324a4aed07e83c4866911838b93717845960f26199b7f07e4cbb6b4309c159d026642a3d09a4bedc47ceef6d5f806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e48b419726118d7fe6c8daadcd7e5073

SHA1
382522859d29e1c0dd20700713054344c817edc0

SHA256
93e73d56c6aebaf3fca627e01a67cccaf3d4e33681abca7c9fc0d8dbec38d255

SHA512
7920f31d21e81556b2a544135ebf56174dbe9039e3fd2aaee991d97565a2d73314d9c6596fa9f7f0d89261a98d86264abfeb7bb0071226775cfdee69d01d54ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2dea815729e77a4fa5400bec2928ece1

SHA1
86813bea8a141900588a972e2ffc0cab799a5337

SHA256
f91a27e154aecfbc23475742d8e7548ce6b490f6b567e699a9832ea5ab7c0f18

SHA512
3ecd8c7ae657344e00adc2ae4124b83d5dd2bba0681010f10d168b72723d240b1d0d2e1973bc1e8b81ea92a1bace3249e753eb1450e21833302f3710e1e13a40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
76cec26a26aaa9f8f736e07fc2520b01

SHA1
77dd194942988c885bacdd19ad76e0eec36cc365

SHA256
5f409aedd319414243b195fdc930e2f4a70cddd24313430044b18f681a5b171a

SHA512
f7d306c68f34c5753e2b679d1966be9120d946674c7c88767671cb962001fc841bb7c258bb4050f360e2bb28d81716c6b4081fb6be9a9523d7914d7e7a0113f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe602a21.TMP

Filesize
116KB

MD5
813dc0250bbc00586057f779ae56842c

SHA1
237be9b740f1307c703923eb3ffee995d0201a7e

SHA256
4c0ea951a880c02e7ca24511f354daec9797630262eaf1469e1e08470a5ba682

SHA512
7dbc5f0531d29300c69d09c3d31576966f20f5c842014a616ea8b4696a8e23973ed3b9d0244d920429392ce58351a7e35a2cb65857d4d46cfefffd7bfaaf8b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\75df9a88-ccc8-42b9-9177-d445296a43d1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0963a674e2278b218d97d56a394aef9c

SHA1
65b700a6d258306cf4ecee1ddc1c0de947d531b1

SHA256
957e4140677a01588b8cfd48558bfa0092c825c3b16d7db26000932f582c2298

SHA512
8425103f31a1af45a838815aad5dfde2cb14729db34684681d7e766f8eaaf90937cd0ae997c73b1ae843b1d97ff681828a5cbef28f6374527ea7e2cc99e61610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
1b08b26d6729f8b6e494ac93bde615af

SHA1
5657a49b739ccb75ced3e43ea90f499f4e5e38e2

SHA256
6520fd520a8559ef01af3b0f8cc3191b81da2d7a88f9f20c5f6a78caadbb1437

SHA512
23bcb401a3a0d50ceabccee45d74e8a43052163fdba358491df3287bab9ec7f11448dfbe3d7a8eaea6cd3803520c012fc7c496c10a202606f90e6f965ab463c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
8ae1401a91aa1ee9117379e99ac28315

SHA1
7367e4d81825495ae3a1dc340fd01eb859fed995

SHA256
a4e0bd7954c909712cb0e88109c52ae353b34dff9dbd5ac878b86f688f3223a0

SHA512
2abc3080c5d0dfff9bf7719bfde186d5f9c583df407d84ef3fba3d5fd3472553ebd3a13ccdebba0d1fe2ea9892188566e0b270c3ef5481faac328bf6196426d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b30e9844-428b-4384-bcc1-0b0e826f4941.tmp

Filesize
8KB

MD5
59647525f62fb2fa95209adc80d036cb

SHA1
38e0e1488c166e04d116061637727ef4a24a901a

SHA256
75f0422b32023402bddf7f944b77704f6ed0251613c1cfb3d3e9d40b2a7d3d3b

SHA512
822562769091867161fd4fa9a354dc6d6fcbc433a1513441af894a5479fc45f9d0f937f8fa938677f130fea794b45c60272dafea1a734d92cdb4dbde445fe1f5

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
memory/5636-4625-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5636-715-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5636-713-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12984-25984-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25978-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25983-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25982-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25981-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25980-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25976-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25977-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/12984-25985-0x00000131785C0000-0x00000131785C1000-memory.dmp

Filesize
4KB

Download
memory/13888-25841-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25837-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25838-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25839-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25842-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25843-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25840-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25832-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25833-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/13888-25831-0x0000027EE2550000-0x0000027EE2551000-memory.dmp

Filesize
4KB

Download
memory/15784-26268-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/15784-26272-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/25356-25920-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/25356-25918-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads