dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

09-11-2024 01:48

241109-b8bfnsxkgr 10

09-11-2024 01:46

241109-b7asratmfs 10

08-11-2024 23:02

241108-21j1yssaln 10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (518) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msedge.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 8 IoCs

pid	Process
1804	CoronaVirus.exe
2732	CoronaVirus.exe
3036	CoronaVirus.exe
22344	CoronaVirus.exe
22552	CoronaVirus.exe
30984	msedge.exe
31096	msedge.exe
31360	msedge.exe

Loads dropped DLL 3 IoCs

pid	Process
30984	msedge.exe
31096	msedge.exe
31360	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square150x150Logo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-24.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Medium.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-colorize.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-125.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\ui-strings.js.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\wmfclearkey.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kn.pak.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INF.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.id-9A000F40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\6px.png	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
30444	vssadmin.exe
30528	vssadmin.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 217113.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 225920.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 738081.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
4704	msedge.exe
4704	msedge.exe
4048	identity_helper.exe
4048	identity_helper.exe
1396	msedge.exe
1396	msedge.exe
2316	msedge.exe
2316	msedge.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe
1804	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	30536	vssvc.exe
Token: SeRestorePrivilege	30536	vssvc.exe
Token: SeAuditPrivilege	30536	vssvc.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2828	4704	msedge.exe	83
PID 4704 wrote to memory of 2828	4704	msedge.exe	83
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 2072	4704	msedge.exe	84
PID 4704 wrote to memory of 1660	4704	msedge.exe	85
PID 4704 wrote to memory of 1660	4704	msedge.exe	85
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86
PID 4704 wrote to memory of 5116	4704	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb0ca46f8,0x7ffcb0ca4708,0x7ffcb0ca4718
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1804
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2368
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:34132
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:30444
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:30400
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:30496
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:30528
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:30588
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:30628
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:22344
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:22552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:29452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:30984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:31096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17846755261309181525,2602730330024917569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6284 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:31360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:30536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-9A000F40.[[email protected]].ncov

Filesize
3.2MB

MD5
661850008a3b024366a9bb01d2d9f1e5

SHA1
e8245581aadbf33d7ba119a444a44c429d1dbcdb

SHA256
00975fc86a956eae5a9c56fccf830a04c9d2a6a4f33d78233d223b03f0710b68

SHA512
87ccb34e32886f2c027f4fec46e7d090a4d85444f031f50aa1bf0a067261fec5e607dc198a785ef9d77418addce1b634a162a1c2b13f00e3811c0f65ea871a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
551ec1ab5799476429ed57184a6e0502

SHA1
7bcf188080787adcbcf62dcdad2ffa9ad38e1301

SHA256
a26c3b6f6f77a35a297032c0ab11fa2be0a3e3d0091d7d2cf275fd40c84a43c1

SHA512
c9f59fa7160d68e2eb1cc8453a770423af23c2ea93a779aca1180111705096760aee976db84155973402731b113e7e4266772d32d1efd3fdd674d2ea0e5bf058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d7ed229206870ded9e69726ff3adf338

SHA1
b5369e9a332808a6bcc2126f929f0d4fa1057b1e

SHA256
00711de4d2f5f3011bba40afbf5344bcf103fdcf778d4f623d92e44d57697998

SHA512
02421bf9b0fe868205e75f39618cf987551dc75cb99e707e601372ec5e8a173d4a5ca456efee69ef1b0151550ef8c916ed1a65ee9553c4a568757af4cb501b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
75237b876e4ebf0cf587313ae92b7952

SHA1
ef712d6b1e678d091b39cd593b8d4a2a5520f139

SHA256
d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b

SHA512
0c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c49a186e8efa5453e3406f908d41fdd8

SHA1
5a18b25f39eb5533b89fe8fc284e6d5e460642e2

SHA256
5614540ab093d2d130ed842ebee07c6a2981dbeb98274895f5af2f1fce9f18fd

SHA512
f8f3d01f81cfe296d20c6f01880de399f493574da978fa1b6c65099466b3d5432359fff0695cefc5e5cb1d5a40d24c1d425d27804cb7c95f9d4fd3e385c6c174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a001a7672e1f57a46c052ad3e49bb36

SHA1
bd0007dce71750c20b7ca598e0f7f473c4b71013

SHA256
01a0f6725089353252064096460200567b435d88416df231460972e1d16b1097

SHA512
85bd1e6e71e34525e562fbabbf9dff4d10a665618f9d6a6b4a430197225bed3c6b63cf94e0855d2498c2bae475ff9fdb94306b75352d890c0d86f9d6c744274d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
919fb58d442890c0ee8d9cdc4e630194

SHA1
c1c0f89d3db7e904148f08b4e24ac338c2ec4f55

SHA256
0afa29db5fb296f7b08836e0c8022ff2842af05f056d4b18283dd6824042fa00

SHA512
4c4ef3ab2582441916e0d87e34c2d3cb98eb3aa51d0bbbad8aa0567cbe3dc35b1c4425e962a906b0fb80573022b8f18792471b51517226b1d1f38c20aab1cc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
738ce7ad93260629c59e3d94848d4899

SHA1
16f9309b4fd46a524a7dbd7c653d8af77976ef1d

SHA256
b6e97be07b302dea9e02d378b4cb246f3b65d5d3cb31ccbe42cfbd2ea3031408

SHA512
48bb9773c7e6e8317950ff19e4ddfb191e2b9c5412996d977dbd8a898970e2e042e9ad262e90b42627734ec90f240e6be8a12bea39b1a510d282713595167197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
19B

MD5
5ed5e62e752eeeb455e377fd9e282c85

SHA1
7ec08c41642152607e446d1d7c7e599c72d24fdd

SHA256
b57eb720c14d977d6ed5c49b31920ea169eafe884d4e3d16396fa7e2771db08b

SHA512
22e25c99df1b6a2c79e10109a1acdc80954518be9747637204e06eac5324c8805a38b073c183993b12feb1c4813d0fdbd28beff344c8361885b31d61ff3cb168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3d5914354af6d403b2add507af79b14a

SHA1
b1b5f2a83d43554539beedf05b65733cb3747525

SHA256
8d1f325ffaf4f7fefd3bf8203e72ad78f7a5502cbd3f05874590d0e9fb313a49

SHA512
9075690612cb5c180e131ee9f246af691f81f803bc4cdb698db6026724aafaaf669791a1d23704b5fe32b1835e25d7b4cd4b6ed29ee3e24ab36d38b5cda015a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3931e0600d83e7664e0858c0c414536a

SHA1
089b2c7543a4a09528ac392671b8761debf8509c

SHA256
b419d6b466d9c2e1467d5352eb47376cf2c5436670e82eb677c7c09ea3e92e94

SHA512
163850a9becc38996d1ffee8bd7e2bdbe724bc9851165ace288cb0f77924e7e039e2dc8b72c35489ef9e2b900cf4617f4450ddaa4cc0548e95c9279dca46ab97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a9ee3799868dce5e9329b7f1b7ca9f2c

SHA1
78e1ac1e0c27fd7ed157b0ee742fc62f8849f5c0

SHA256
f6455b2a7fb11b9ec2ac6e97b7018d8bcb382eb9223251bbd984ca607c948973

SHA512
1217a0ae842a5154ac8ad46ba0dc8c6242ab0a3a53deb17046926578cd0f01e128ca360952410d8d4f2100d8fc8c4a7a156f4d1187944840050691c860392444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e050c635e81aa683d570f8b0141b248f

SHA1
26f58e98f0bcd09b41eb329b04b672504b2048ef

SHA256
84868c6c6f9e0832b1cdfb3ae4905e00c0b87b25f05937c5d76efe080178c1c0

SHA512
03ea82d338404c31e17739b9aa93bf2fe712a1fc88f16539d2a40db8326b891fe18e73dc1e663183156ae34b2f4b4fc2905dbe8143013ed92bbc0d77d71a0001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae83e5e462023e447c2638a7775cb05e

SHA1
e066789493dab0c9505bb4c6505f6b92a84149b7

SHA256
177a3e259e11d4146b82538aec33029409e99a0939c637180ed9bb1a7a48c07f

SHA512
c02dcd62faf1c9077a81a73f814c8d1f8f7b48110911c56f7de0105c775e6cb698584ccb0a7ada64042fba16aebf13b9303c18e57708ebe8054c61531e9c27fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a619942195b4aa38007fd3d992c2199

SHA1
f270f63892c3f58ced083c549881e8a0ed8924e5

SHA256
ca48a5046281d22787f14e487d40f5147a239769db50b3025d2c5015554a7f66

SHA512
024ec84fd30b334c66ff3f7d87fa1f553e27ffaee48fb191cd82db9ca0c78522d153c548a5b20e8dd78c6b44b9c1bc8816caf54f839fb7a1ca137696cd759532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c8fd.TMP

Filesize
874B

MD5
f044669c874ab6adb1117db4b6dfa4ab

SHA1
b5355fad553e2096d5a4bb85aa4c497315ed84f3

SHA256
89fd0df406defed4adc9b1c2a347d29b35136e10bf88766469fd46b6744f839b

SHA512
d933dfabff3882537e6886d801d5fe92677b8edc7654ea64268b01779c813e50c04212051395509c11d7ccad084a074b987d0397d6402263fe914d7697a24a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592d11.TMP

Filesize
1KB

MD5
a084f46d752bf0ef44abc338c51fb0e3

SHA1
555aeaf10e349fb1083d43d6fb5bb93b9c9f85e8

SHA256
a0e4076ff4dc284b348388fcaede3c8d0fe3940ff10b6b2462357b45a0dc9ed7

SHA512
8069872a7cff060280b27124d5838baa98c29bf8a166962579c1402a102fad1fcfa0fb464cd8f284fc2a2016e1b0ca436f4bb63f9f7821eb20129ed5f91404fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a75d70dab481c2c8da1e97fe0f7700c

SHA1
e0228824371b918dfd8c08d7b6469ed12f1227ea

SHA256
0deb38c43206ec63e4807dcd190e8b3222494971cfbe745e21828744f50bb9b6

SHA512
19346f1172058f6473409a95df4d03490e2413c3a304cb7c2c84f6599486c7ed4198b4fddbcd76d14a4bd6e8a8ceceb3822b94fd0d31f265169178db1fe9c1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
674db18516ce075f320deb46a87a7d47

SHA1
70cad83aa9827a87a71c7ccb04cc591fd38a4ff1

SHA256
f4cc8223ada919a1283f102c220889a90e3556ea45be8315ccdac72e68cc167b

SHA512
f715abb5f81591dba9b533a611d893a24bce325765945d0cbb0d439b5b926e6fa3cfde2da022dc9d61a64e33ec51c10b516907b92c1b6f05968a188e742287f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d9527e59d2215fbac30ba7cfa18b911d

SHA1
e04806f1732b4909d2172ae67648c6336f1c5417

SHA256
4eeadecdc12b268a929b26d5cc5fc11500241fe46cc497b4387f1d731264551b

SHA512
ac138a99db30a367894e62560b8e14145735ab5877b15c78a99bdc1b36498191c72cc29d5dafee4933189d65b53eb1086bf0f2db537a76d87cebefa7f33a133e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
544e4017d790ea020615a21d5f84d13d

SHA1
765b5a84977c31303e47414be4cbf0a23241fb0f

SHA256
c83e28dd8808b789d9e94eb42d00b8d33cd8df20de2329e794f4913fe460b5f1

SHA512
a76bff7d6d9629c712c7b54a1d54853fc0197ee17270caaec7b4f0f31aa2ebc85e3024c5a21ef9cad87ba088af894e7aa15e49481528f75776dc49cb48650231

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 217113.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 225920.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 738081.crdownload

Filesize
96KB

MD5
60335edf459643a87168da8ed74c2b60

SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

Download Submit
memory/1804-379-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-341-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-4739-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-5822-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-6582-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-378-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-6581-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-6026-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22344-21872-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22344-21007-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22344-4814-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22552-21734-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22552-20782-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22552-4815-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download