cryptolocker | 984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

Resubmissions

22-10-2024 00:01

241022-abbvhawflk 10

21-10-2024 23:58

241021-31jwmawelj 8

21-10-2024 23:55

241021-3yrhpatgka 6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

215d509bc217f7878270c161763b471e
SHA1

bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256

984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA512

68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
SSDEEP

49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

Score

10^/10

cryptolocker dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (530) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 5 IoCs

Processes:

CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeCoronaVirus.exechrome.exe

pid	process
2572	CryptoLocker.exe
1832	{34184A33-0407-212E-3320-09040709E2C2}.exe
4980	{34184A33-0407-212E-3320-09040709E2C2}.exe
1048	CoronaVirus.exe
21332	chrome.exe

Loads dropped DLL 3 IoCs

Processes:

chrome.exe

pid process

21332 chrome.exe
21332 chrome.exe
21332 chrome.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
21332	chrome.exe
21332	chrome.exe
21332	chrome.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exeCoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

130 raw.githubusercontent.com
134 raw.githubusercontent.com
135 raw.githubusercontent.com
145 raw.githubusercontent.com
129 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
130	raw.githubusercontent.com
134	raw.githubusercontent.com
135	raw.githubusercontent.com
145	raw.githubusercontent.com
129	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\ui-strings.js.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	CoronaVirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.schema.mfl.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.resources.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.scale-400_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinOnboardingCommands.xml	CoronaVirus.exe
File created	C:\Program Files\OpenStop.DVR-MS.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common.Native.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Analytics.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_or.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\THMBNAIL.PNG.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ru.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\AddressBook2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_es-419.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-200_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.id-39591607.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV.id-39591607.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeCoronaVirus.exeWaveInstaller.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

18664 vssadmin.exe
20852 vssadmin.exe

pid	process
18664	vssadmin.exe
20852	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740289378164947"	chrome.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeCoronaVirus.exe

pid	process
2532	chrome.exe
2532	chrome.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe
1048	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

21532 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2532 chrome.exe
2532 chrome.exe
2532 chrome.exe
2532 chrome.exe
2532 chrome.exe
Suspicious behavior: RenamesItself 2 IoCs

Processes:

CoronaVirus.exe

pid process

1048 CoronaVirus.exe
1048 CoronaVirus.exe

pid	process
1048	CoronaVirus.exe
1048	CoronaVirus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4448	WaveInstaller.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exeWaveInstaller.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
4448	WaveInstaller.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

OpenWith.exeWORDPAD.EXE

pid	process
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21532	OpenWith.exe
21660	WORDPAD.EXE
21660	WORDPAD.EXE
21660	WORDPAD.EXE
21660	WORDPAD.EXE
21660	WORDPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2532 wrote to memory of 4424	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4424	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 4148	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1612	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 1612	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe
PID 2532 wrote to memory of 2068	2532	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeea7acc40,0x7ffeea7acc4c,0x7ffeea7acc58
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2112
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x210,0x290,0x7ff70ec64698,0x7ff70ec646a4,0x7ff70ec646b0
    3⤵
    PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5004,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3328,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5344,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5360,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3240,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5568,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:5072
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2572
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1832
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5500,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5480,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5612,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:3768
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1048
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4480
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:22560
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:18664
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:19680
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:20800
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:20852
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:20568
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:20588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3248,i,7745653644641976911,975840326189508226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:21332

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:20220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:21308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:21532
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\Documents\CompareSwitch.pot.id-39591607.[[email protected]].ncov"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:21660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:21716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-39591607.[[email protected]].ncov

Filesize
2.7MB

MD5
6bab500ef1c2243e66ef26042dbb32eb

SHA1
1c37fbcd65c2e2dca8e7f60cab10bc80914608f9

SHA256
4e85ccafdd7f949c6a0d28e3e4083537ae5d0f8d0984bde835208081a79c1e22

SHA512
b08d6f8a4798a0a1bd7299c12fb9d8ed8a137f1f1f07c67209c8d523c8a9e8e72d4f6794b3385119ec38a7ed6e4bed03fa5a54cdc83582a4ede408930b02c5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3493fb522ce813329b93c2e6bd33a3f5

SHA1
1b223164ab98adc959163e8ff7e8622481301788

SHA256
9427a36097f566993efffe7aa95761796e09babc16670ce8a33621efc2330d46

SHA512
1a0acad704cf3b8bf1c5f188696eaf244d132ef376974c6b30b9f8a99724fa5e29716d64aa3a36acf5be7db66cea26188a497e7eacdb87e1fe27901fdb42a2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ece6dfadb285213dc2c092ec8068955b

SHA1
24c3b58ab691cb0e4ec64301b30270a11adc2020

SHA256
06384867b143689d57b42cd3c8b858c5ee50450cda7137fbafbd8c627e9588b9

SHA512
5d201a1cf6d41f4e7419a9b4ce88c1b038e71da5ef903b9205971011519df6dbb0d0c13f9ac9fcfc29d29ef6bf2cdc3a85a8617b735709cfdb08257c347e04ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9731aeb5dcc32cc1196235399bd6758f

SHA1
7b970bd1ae945e713ef7806f9d07b822fa47ec96

SHA256
12148c6afb8e09347f2b4536fe4f6fbde319786b2da63bbfbf9ef0d04aaa14ae

SHA512
7194014e0029661d911021fee21567622ba3990384e80c62e7f996186f7f92996d4d63307a048d8d0d6634057400671a0514531586b065ed267c7dce50144fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f51fa882fbc18c0888a826785f00e72a

SHA1
282379113eb2369f8ffda3edd884a8e52a7ad351

SHA256
9baa4c8d34e719024b481f0ad7edfe4ded0a1d1f2fb30a102604d4c5c95768f6

SHA512
c984ed4080866cf2867428fbce54b2c929724f20d2cfd7b44410bb678eb5a748155fc450a2e406c3803099c2124562d04c990eb577e6d80c3351c676c1cabff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bbf12914251ba19c5adc69c0a523a7b4

SHA1
33b9310507b5f28010d0225f2732e12e7d1dc972

SHA256
7c2aab48b2c69d5388fbd94f07848961e4e4a28678cdb475d57bc254ef21ba1c

SHA512
6452eb74b3308ec7c3c35d3b7ade0d8cd98f0e6136ab0ee2f355f1c8e48eb2e7fa31662de7103057874c9ff46cf01de24318531f70b5323b87fdf602a817b41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
549534ba11d4c28968247d85afbaf1cf

SHA1
5b358477f56d26b92fa9894a32881260da140ada

SHA256
716cb327d290943d1b8ec47ea45fda96257c3f5574468807080380696671e3ee

SHA512
6c022baabcb027213a70247eec54b79b3aab06b8c69a139ac6712bed9d9f7f2340cabc4cd93d04864685eac264ecb162cc0fecf0bf2bf70372cbcf872de19986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7a2e923970e79ea8c090693a3d7184c3

SHA1
430559697cb0c9a99799d101e8f2d93ba6fd12f8

SHA256
fe0e97711810e106da7e6444778fa2c7981d22679b7d6197ee50d188dd15a7dd

SHA512
921b81d41d814a75ce7d125fa02c223c6ada43f2be6916c64075c25d3a9ff9277a0421f197644eb3d29b3b9601386408979c2a53e18063be3d299cee370d85fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a49c5445fc2b9439bf8be0dcf3ac990

SHA1
480d4f4fec3ffd3470b57ba6383c6a39f2b4031c

SHA256
5069325a61cc262913ad35ba1c6a6adea8a0a5a15a0529bd2956c9c9f8dab592

SHA512
6906c53de40685486794396d4ab84605449aaa36150962cb5182aac987b620eb4e7e69cf59c4bda91aeb1a98d71e67f507255fee6c663fd2ae2cc1b0d775b0a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d1f3493a104342c5afde626ac03f6376

SHA1
3b5c2a14d9093346f9c73ae1b3b33afbd5431f1a

SHA256
5422ddbbe78825cd3a626533c706bd232657d988b2ce1cf43abb9f206d448d2d

SHA512
f69932da302b0412d5a0a34dba0b86b2f26273d55403abd63520f96245c46631799c4fa71758a9ed88e095054b52512796b8e7a71418ec3b04358b7295271e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d63ebd8104e58eef234a4d17b7a707a

SHA1
c7f44562c7d103db7675f130c353fa6bd2bb9237

SHA256
a0f97180486271b74149755ade0d4f1f937dbb664cd86e414c8de7f98b8436b3

SHA512
7ce28dc6650abcdb9c60338dd60db41e1d53e67ad55ebe39598fa273ea3fd3f16e0bf3dd354716097179d433a73b800d6212096fe3eb600f0cc14fa40af6e8cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9298a223d541278f53feeb20015168c0

SHA1
b9cad25520be3f330d0f4b493d1d11f6026fef5c

SHA256
453c1438d159b00a6e72e433b2e114ad92e27fdd863cf3c0470409587ae1cf6d

SHA512
aa5dd9d2ccb3dcfcdf3bef14f1dd523e0d8b42803fc1fffcf313660480d9fec16dc1480f7c502cfc1f3cc93d08bd8b7a8052dd74a7963887c5945d8e0be19383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
370b5e363a4681fdb5d261cad127673f

SHA1
b3cfe0d4d8fc43d531a90f29b8112a714b7586c2

SHA256
75a356c1c85023f0192ea529e7a8a5a1da174aeb370e1eeb87b9193593da7c90

SHA512
6b1a91aefff5d1c10c950099ffa0cf0884aba0085a7bf9dbb4149ee2ab62f9bf61f098ca0f6ff7f44ecca144e77b644cb4294d955174af440250ed1a3e3f1c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d553a1aabbfa363ab3a2786c507ec0f7

SHA1
95c8b3a53638578aba702f630d3f05373d53bb5d

SHA256
b277d488cdf73c325b1943b68358751392b4cb46521518c736a4fa72ce0e7849

SHA512
1b3a53c2c1bb1ab9010a2ebd674e7813b7c18d8c002d95aafe030ac5efe16669bd9901828c4db489c75492be5eef92ee45036a81c0e68fced1c8bddaab0175d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c06824811802db93b3a0a0703ebedd5b

SHA1
cbab22a2b8a2409560067b8fa6d6914d617fa921

SHA256
64ea78dcbdae7ecccc3589048ad2d0c321be24860be886ee0e32703e011840e2

SHA512
dd1b039b8496e8759b3b9030bacc0352441bab75543adf87943c064ae1a7c01e092c84e94527fa931500035102b4f2fcf625ef60282539041a1eeb6a86a26b9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82af8ac7593d71d174690979685e8aa0

SHA1
f06172e6d1713a1ec24ea4b6ce8bd44abce484c0

SHA256
3488ca06d64191f33d531dd9b7d84ae987137f9115aa6f11705679843938e9ae

SHA512
308f1924c791939aa94a6b60517f5637c988d2559c6e8e3583de23d93ea5fa1af3545d93d8d59d0919784e1d10227bf1b2ebcef45bed317132b38893f1e15b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd9e1f8a7752c9993b5a5a5e2b8abf05

SHA1
4aa28509c453eb66ef92bd1b352b3a58fb785fd7

SHA256
ab781d0727dea130de19a9a5a696279b320b33a8dae88d0867d93888dbbc66fc

SHA512
7371a0ba98dc91d3dcfe8355141b170a07cb4f7f8401b6e55517e14103e9bb9b6abccef9d0677261d7c9adb2b5ae8f13cad183bfb554e0ff0082d055e56c265e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8092401e06cea182e9881d432848fd31

SHA1
e947fe21e180d9107e496984c2d2e8fd3aa2eab6

SHA256
714986798946daea5d80cb7e69e6445999c8cade476e5ec459043f80585e4deb

SHA512
632cc1a542e518a9a06ab883fc32ecb698c21744f65c7526f7f23df98775181eff9e3ae852dc4d65b32b1f155ee17b423be66540aff76af092bb0c2e34c34c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe599be8.TMP

Filesize
10KB

MD5
02100cba171f52e9b9a694501476b675

SHA1
5add27c86d673d918562eadad0656ceb16cd6bec

SHA256
71304c391c0274997126a883b9dbdafcc38616a418f37db1926b64de2297643c

SHA512
4b58734af9c64881a88d89110c13b914b9a8643b4ef8db0096062d5585a78ac7e6e6552a0490e23c0cd96389607c5821b8a479f777ee9c4265c7f111446ae4dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9d6a02dad804a68f9e4a292ada524e59

SHA1
5e6a73441a5e619b523e754c49d3053a3e181e40

SHA256
da00c6374a728c238e67d301287858b78acd3c38eb6287b51e545005a4ec82bb

SHA512
5684232793766c4c7f8f8b7850b5f78529c76aab51c722432798090dac084df0e84761868a9a4af59f004945e3e6473b21531c68097a2d57573979147059646f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f4ad46d1-7f35-4d60-8b7f-c2f9b48a2c3a.tmp

Filesize
10KB

MD5
6a66b508fc155fb4a41d5d2f1728a797

SHA1
cdbc370c4b3a4513891fb0988d2c0eb31fc13310

SHA256
9d60ed2958ccf69119d7521333c7f1e3590e2f76766eb81b939a6ba4cc39a434

SHA512
0a591a8ba97047bf98d56fd5ac5f5404c970c6734dd3c0d03106837cf0dd05bd1409a8a4fa48800cd6e9f7895e93da6febd9aca477f0eeeea41b62e9670121ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
7dfc1d1188b1092d6dc4606a6db78214

SHA1
f5bf177ab8a676880fdd9c2939f195a3580a50f4

SHA256
bb0bbfd0d2f5b5de38df1f2c58341be7426a7a940b11498ae32fb5c47c1122f8

SHA512
291061f0912594538dbde05daf6edb28732512053cd14fd6d0e15c6117d5ac8f63db624a6dff2d9531b1062e9c7270e8c9e7ad842565d782d1ac8d8965adc12e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
2416cc827e7db38a51c3f4af66c58111

SHA1
25aac6b9c047be8e8ce53c3a9b4192d708edc389

SHA256
f734aa6dc4e572535a7ba63e965207cec6628825d76b995fa286ce0b1fa49317

SHA512
79fef7b4d5f90df82a07173485d1395586ec9561a78cf5895fb61a00ef966a2631215e20dc181661761187f7461b341e68e95aa00e694d4345d6209826e0c34d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.js

Filesize
6.8MB

MD5
750a80361741fae53b982688a6058627

SHA1
061f5f23d614405100ae25e88c3193a2ea30b0ff

SHA256
4c9720f4dd99050680ef366779218b0be6e6423c6470eebfb55645a98dac95d6

SHA512
cf1940d0b5c23954046cd82ae5ffbd37ef5a4bf3b30a5851f4a2e5f010cbb893a53f66fae3aa8b5e519d96213bdcb74d490d731be901db60eab59ebc93c19e13

Download Submit
C:\Users\Admin\AppData\Local\Luau Language Server\shared\bin\en-us.json

Filesize
6.3MB

MD5
a01d12eb33db4c3c25eb99363b8f829d

SHA1
86be54dd6f380127abc4142ecb77fccd06870093

SHA256
43e8d25ce548b984080024c8425dc31b8b1aaa568549cc2a119f2c26abe999f5

SHA512
adfb7fd5c61bdff36a967db449216f0a905dd7568d275438c4534bceb25d2a1104f9c51f1811ee374ae21bba3dac872f9d678b58c3f07b341e016eb721515abf

Download Submit
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe

Filesize
949KB

MD5
495df8a4dee554179394b33daece4d1e

SHA1
0a67a0e43b4b4e3e25a736d08de4cec22033b696

SHA256
201263498c60fa595f394650c53a08d0b82850349123b97d41565e145ddf2f42

SHA512
ce3bef1038741f7a0f90cc131a4a1883fd84b006654024d591f5451e73166b4cae546e307c358b5b90aa0e6517bf7b6098f1f59a3ecc01598d4feb26e6b6af33

Download Submit
C:\Users\Admin\AppData\Local\Wave\bin\Background.mp4

Filesize
5.4MB

MD5
f43e532d44635be2659ae91e2fbdbc2d

SHA1
c9d76b7ef3c1218c7d898a717cd963785fdb98a0

SHA256
2778727cd81c9908f3cf7daf47b398c64ecc67afc591ed4128e55960ea1d4766

SHA512
1941242f25b4eae76152ef8f6d7abc5cfd6eab3e73119af43e4af7912e10eb05598aab9e9104f58c8b6401326e5add5a3853e0945b18ae0b6f42147e3088fbdc

Download Submit
C:\Users\Admin\AppData\Local\Wave\icudtl.dat

Filesize
11.0MB

MD5
1623b204a4022ef0b757bad136a1e74e

SHA1
84cf70ee4d33ec453c699322909ad15fce70e056

SHA256
d648076c0dc9ae1e7411c4ef61949b3ce80ccbe7c420ed1be7b92a8932183465

SHA512
f9b36269391157ddc9a1d61935920dffefef148e8269b51dcfe237db1a9998cc10d3c39ac8eb7d9b7078d36a80ab2df0b0e3dc9e631403a4da8816b3185aab23

Download Submit
C:\Users\Admin\AppData\Local\Wave\v8_context_snapshot.bin

Filesize
128KB

MD5
5c0a8a3fdd70841784a1dafc601bd74f

SHA1
e5b0aedce1777eb0eba56a6b90bcf79bfb9848fb

SHA256
04ddd3694553815a88d9230eeea7e34b6f809a4c8403d98b10b8dec5e504f4a5

SHA512
f4d1984be8af78b0868a686ed6a88e27fe9e3ae137618c60e92ef6afb561405359f6bab6ef6a9068222a3df35910bcb7925f99e4a9046147576792f192232bee

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 790496.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\crashpad_2532_TRCCEXHXAOUZVAKU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1048-619-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-421-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1048-4268-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4448-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4448-375-0x000000000A220000-0x000000000A228000-memory.dmp

Filesize
32KB

Download
memory/4448-6-0x00000000098C0000-0x00000000098CE000-memory.dmp

Filesize
56KB

Download
memory/4448-377-0x000000000B730000-0x000000000B7A2000-memory.dmp

Filesize
456KB

Download
memory/4448-4-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4448-3-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4448-379-0x000000000A250000-0x000000000A25A000-memory.dmp

Filesize
40KB

Download
memory/4448-5-0x00000000098E0000-0x0000000009918000-memory.dmp

Filesize
224KB

Download
memory/4448-373-0x0000000009460000-0x00000000094F6000-memory.dmp

Filesize
600KB

Download
memory/4448-374-0x0000000009500000-0x0000000009526000-memory.dmp

Filesize
152KB

Download
memory/4448-7-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4448-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4448-378-0x000000000A240000-0x000000000A24A000-memory.dmp

Filesize
40KB

Download
memory/4448-1-0x0000000000430000-0x000000000067A000-memory.dmp

Filesize
2.3MB

Download
memory/4448-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4448-20-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download