dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke[.]98[.]exe

Analysis

max time kernel
343s
max time network
344s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 21:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

Score

10^/10

dharma credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Annabelle.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exeAnnabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (567) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	Annabelle.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

18280 NetSh.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

pid	process
18280	NetSh.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 19 IoCs

Processes:

WinNuke.98.exeCoronaVirus.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeAnnabelle.exe7ev3n.exesystem.exe$uckyLocker.exe

pid	process
1648	WinNuke.98.exe
3616	CoronaVirus.exe
20180	chrome.exe
19364	chrome.exe
19344	chrome.exe
19340	chrome.exe
19764	chrome.exe
19848	chrome.exe
16088	chrome.exe
18204	chrome.exe
16124	chrome.exe
16100	chrome.exe
16312	chrome.exe
16476	chrome.exe
16564	chrome.exe
8356	Annabelle.exe
16868	7ev3n.exe
16984	system.exe
12772	$uckyLocker.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
defense_evasion

Safe Mode Boot
T1562.009

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	Annabelle.exe

Loads dropped DLL 13 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
20180	chrome.exe
19364	chrome.exe
19344	chrome.exe
19340	chrome.exe
19848	chrome.exe
18204	chrome.exe
19764	chrome.exe
16088	chrome.exe
16100	chrome.exe
16124	chrome.exe
16312	chrome.exe
16476	chrome.exe
16564	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exeCoronaVirus.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
20 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
2	raw.githubusercontent.com
20	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckyLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardTitle.types.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-96.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.js.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\GlassVertexShader.cso	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-48_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\msproof7imm.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-60.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\de.pak.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\et-ee\Resources.resw	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraBadgeLogo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-24.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\atl110.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.model	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintWideTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_no.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_lb.dll.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js.id-64D63081.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js	CoronaVirus.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CoronaVirus.exe7ev3n.exesystem.execmd.exeSCHTASKS.execmd.exereg.exeWinNuke.98.exereg.execmd.exereg.exereg.execmd.execmd.exeshutdown.execmd.exereg.exereg.exe$uckyLocker.execmd.exereg.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ev3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

10604 vssadmin.exe
15880 vssadmin.exe
18196 vssadmin.exe
18232 vssadmin.exe
18236 vssadmin.exe

pid	process
10604	vssadmin.exe
15880	vssadmin.exe
18196	vssadmin.exe
18232	vssadmin.exe
18236	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763522426335669"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 6 IoCs

Processes:

chrome.exechrome.exechrome.exe7ev3n.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:Zone.Identifier:$DATA	7ev3n.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exe

pid process

16944 SCHTASKS.exe

pid	process
16944	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeCoronaVirus.exe

pid	process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe
3616	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2212 chrome.exe
2212 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exePickerHost.exeLogonUI.exe

pid process

17064 OpenWith.exe
18024 PickerHost.exe
18956 LogonUI.exe

pid	process
17064	OpenWith.exe
18024	PickerHost.exe
18956	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2212 wrote to memory of 4264	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 4264	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 1624	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 780	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 780	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe
PID 2212 wrote to memory of 2904	2212	chrome.exe	chrome.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffffffccc40,0x7ffffffccc4c,0x7ffffffccc58
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4624,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4620,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4684,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2392
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4880,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3508,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4900,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5396,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5196,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1340
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:224
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:23100
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:10604
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3832
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:15440
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:15880
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6556
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:15660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5824,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4656,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5016,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5772,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:20180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4836,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5108,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5684,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:18204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5832,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5828,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4936,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5940,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:16312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5792,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:16476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6068,i,15576753714461078532,10120200014143310332,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:16564
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:8356
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:18196
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:18232
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:18236
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:18280
- C:\Users\Admin\Downloads\7ev3n.exe
  "C:\Users\Admin\Downloads\7ev3n.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:16868
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:16984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:16964
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:16944
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:17676
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17312
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:17700
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17308
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17640
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17600
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17624
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:17684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:17752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:17928
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 10 -f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:18088
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:12772

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2756

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:72

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:13364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17064

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:18024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:18956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-64D63081.[[email protected]].ncov

Filesize
2.7MB

MD5
36b021249a45d0e736f34cfc68c1fecf

SHA1
0094f79a4860fbcf8a83e8c0b597efb912df997d

SHA256
8c71aad47ec59ee324341ebd6cf43a1fc1a51530ae6f7a2c78db4b87455ebec1

SHA512
28a0c8945d82103ecb6466012a59ecd34f2cc9383eca6c0716f7e7cdbec211be90c86264e2c22aff4566701b6a4cf1d6bd95546841292f067563c4bb30a9eb26

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.6MB

MD5
f2e161162def9b01d0da016d5f1d8c72

SHA1
7240449024e742ba6ba39de5885e9bd290d8ed31

SHA256
f7c1b79bbd7fd294b948871fa7d6130caadf101471cb4d69185cd0e7103a1b10

SHA512
3bbd85522d70f5aaa02eab07a23da47ab6f36e06deab8a5a9ea63557c96fb41bf3d16c62cabcdddcb458a442754228f69532db376df5260d004547484e067758

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aee97661102c62b85784dd1ab96538cc

SHA1
1ba8cbad088b0d8c114d7138439fb6964891050e

SHA256
2b11c6404123329c92053bd531009b095bf3805f08677de3c440c1ebdc1405e7

SHA512
3fed2e61321aaa15082ded010352c965d2ae50a739ea03189e05e81545f5b72e9c872ddcd4ea44c9e50e37df1f89654310627b52f15a267e9d32000fa941d80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b979cd71a52a7e09c34bc1bff9edee65

SHA1
936e05696b16a133c85a2e12b15de859615386f6

SHA256
353407459417abec64ac0cf5cbf4667bda496e8c8874757eeac523e924879b29

SHA512
fde4403f161bfd30a99ff515c614475983626ea557586dca00f5d90d643019fab09f576ef27a38f5fe907c5c549f70656a7646311d763e7390eed8f24d804a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5c7e169fe75a03c0890954647fa797a2

SHA1
5c0d6cf099144cb2b6a846149c6eb019b0f5636b

SHA256
cb527566af1f4c4471f4fbb3dc3c26773cbaf0f49e9c190f3f1781ac53349ed8

SHA512
4a074450d5355d9f32a7ff05adac46cace6e8c7c41623cf2baff879a4f6d825c98738e032241bf1e1b921df3c34af67881ad2a58ef8b61c645996180ba6148f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c6970386726ee6db4a74b4fe23dad81f

SHA1
590c404809e7a540fdfef5d136fcef70bbc36f00

SHA256
f46bcaef1ccc24844d1f71656930f68347679c5a01acbf741c94983450741a7d

SHA512
1d0f841394c7b0eb68ba05c4ba4318927277e75bf4e301045464a69c1855f1a5a69bec5cad010d4ec04bcd4ccc3aaef0ce8fadbb46047cb487b67fb0dacd0b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b5b01ddb3b59817cf05b1fec7624048

SHA1
f5bc3556450bbfae39251a4c14c8a6419816e444

SHA256
55394ac05076d89dd36bcad4d2fc468f3c71906515f66b7dd1ef4247f9a50884

SHA512
52a50a77a56308b3312b79456c2624b6d4f006415c66ec24f116ed3b11aa7f0cfa14b8400e9e0df1cd88d5c31c58eca0e5b5bf37c0267107420389daf2415665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f4c2149f1016d5cc30c9a5d960a3c065

SHA1
60d634d60ef95822b8a28b94af98cba81fc44d73

SHA256
d5ea437995a8255f6bff06d60bd57512f6e57c9de289cfc647c7d239d1f65596

SHA512
8921cc82e5c3fa18f347c26efbce5c2fcca4e492b90812d4a47e82762bc9503c508273ffbeed3bea67dd91786bd23924e205e5446b4e1eaa1723f0de824bd0a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a072932bb3560dabf980ee241dbc0423

SHA1
8f949e24e7c9ce67cb4ecd4d7a3da3577cc1fe53

SHA256
b1a4fac9538da1bada3fe28edc2eb9a688aecb6d8a57c509ffae4a48496f32a3

SHA512
f4f85dd00ba3e4d808c9f92acc3f0b8a0438c13a8f671445d21257a44086c9f499c8a1c5dbf308490df9fb440f447c2d481e4dfc9cdf2ae6057853ae5739657c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fc485cd7481d9f1100f1e6fa351b7ac2

SHA1
8c0c9b69fb08278f3732ad84a7eaf27804cc6078

SHA256
a137d6ac4875bfef0220bd8388af7e04aa9084de6ec348ee8a2d231a61858a86

SHA512
c4e3961dabbbd12ffe0826fa273af91b14a2213ee1ee32ff1f80199b7a5c27b61eb24a5f0fad025379f26ab256871d7971ab31285197a19da35e233dc0f05cb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c20810e66f32e924f161d661646323ae

SHA1
9f65fb66fde6f2f2b27b39472dcbf990df6d78aa

SHA256
50dabb94282244f25163d6d251ca80ab2b4aabd6c7960c135626813e48083e4e

SHA512
90ac2bd03bc62cb80d879a6c4df4c5bffb795ea6e6d87f6f40c39e5d0e4d8cdeba1f02112531f32dd60f243654d8f4e04f122b81154d0e4c16a836c7a82ab113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
69fd6bb66c3c789531d86746152f159e

SHA1
3e0ba6aa39885ff58cac7af215a9b59cd616ebb6

SHA256
d3026ef41f9739f8ab7476454ab66efeccb878b7475070af504e9bc2e271902d

SHA512
39ab074a4598e78b84400d04af7e8fa3421959ca798335704a72de387cc609dcd7c6acb5bed6c1d63e2845f2df33337718ba4c92546c15fe4341b7e795c5f204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
37bf882726c4122b7c8efd1ce24adc15

SHA1
96a0b08f714bf9830cfa28330532ee07be260433

SHA256
6df29acff6b93197b35aabd770202a68dcc594455d506fea7fd98ae0f1d4c958

SHA512
89ae09c1199a7829b4ae716411a78bc461446b40b4d184360032e759a8d9ffaff5fa14364575569ba85b08dff02c2cbd30d70b1ebf72a5c7da85a891dba841fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f92d2fcc531cbca4e9c7863354e94846

SHA1
e7522c8a5d9f5ec3dc9e7ffeec3879aabc4f935a

SHA256
3936c3795899559ebf0a63fcb611e71fe9aee6ec70591e8ad858f70382a044b1

SHA512
218b7df4a6fa8cd566935b5a861b5a8b41c07d118e130c3baf9e3913beb649292003a91c8badc2b1c850b9e576dd55cbdebbace6325f2647299e1e2d3840529b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fd5b0f942978429e0248ca3033b2a1ad

SHA1
693f6bd0d1fae9d6e6799dfc94f11bf0279bb233

SHA256
6a658876656bf407def90f5027389c4b8b9c841a00ee7a90ac7edbce757f3aad

SHA512
6460e0719bfa2032273255ea0dd50eb4b9c5f52eb010e38ee8f4e113acc3c88c15221e3f0abe25e192be6aa7106336579441f6d9bf2f655afb21fbe8873f5b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe5b4f84.TMP

Filesize
1KB

MD5
a0f6d78ed889db9d3bcdc2ee096164e3

SHA1
78ba0c4aed899e646f694cc6bf1f23ad88b1da20

SHA256
2dec9143c679436e802e6a70411d1bb85f8460f2b42459cfeb090b1c79934fe8

SHA512
0b899e844e8263ec40317bbdb837f2767fee5650d385209c22019e23c1b505820e9d57d8d2fbf0a29a88f7d2ac9eb3cd5665e0048ae0b1e008d5906371b8a7b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e0c0edd2b0a54f28d1edbff08fe0bcea

SHA1
aa7ded40360981951d96354a1a0d7b2a194ffe5f

SHA256
794641f4d85dde88807e911337ada455078b60a9714b7880e9ee8ffba3fc83a7

SHA512
45bdcddc4969a4ca7191e13b0cf1a19720da1053e2c3d977699aa8228f80a061593e5bfd50f80453c27d10857462aba926ed0661c6a5c029a68bf56aea31e59c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
693ecfaf173c1aeeaee1d7c2e2794f95

SHA1
4ea708ec7f3c87f466ed6f2b5f70e2b8cf97a25f

SHA256
90af2215b5b667e6d2848726c7e7cf20655ac73e228aab3e0c7264eaf4ad96d2

SHA512
3aad2254b1b2a8d42ffc6fa928e0daf3c5355b339988873f075e49e1ddabe71e5d53887e8be80f697641cae4ab9f9f5e870a6f3fe97c26c6e28ded4d96f7435a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc96bbe2e83e67df2a8932e52c20c961

SHA1
5221279064b003e2f4832db35de7a9aa78a89378

SHA256
40dc5e4fdbdb4130734db7379dd64fe937dd082e27ed95e4c83054234e908f85

SHA512
75d1ad03a1e73cad6aa7c39ef14e5ab0b70b21c636f12788a90fae83797a5b8552f0a0789f4a72d9772e254f621545e3811f927ba481b23cc4706ad4d411677e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c2522365ae5658fa8ea0d51b60ad43e8

SHA1
5b673b38464278405e884970ccec017e048519f3

SHA256
6b7e908ce5f929c6ac52b21c4e64cd1b299d540b2bab9eb656f50d9f7b1b20df

SHA512
0bb49973112c1ed899ab3f80001595dfe6adadbb39b98f9bc77104024059924c0a6e7a50bfe49f1b30d5544945bee0fdedb2f467aceea9193afc583e65d22778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63cd9c45591428f854c29e1253e67a0f

SHA1
0508aebe16412342eaad4c26d866b85823ddcb34

SHA256
457c5bfb7534339dad01c078bf6236f3fbfaa4f12a860263ed8ffdbb6651d81b

SHA512
074068c464f7cce07e002ef62ed2b3b933a00a7557b612c489fe9fd2904188c181fbd1b69ab355fdc0a6c5443d07e4874a67d1bc9c77b3bce4c9a0aaadfa32aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1cbe9491737a4ac828dfc4c2107e788e

SHA1
8b4671842de9a2b17be4fd47473254bb6279e984

SHA256
8cc69f0f782fc0acf69cc7f056dac03827cd564bb57baa8eee0af8f3f1f2c4e9

SHA512
3ffcf15728e44d55cb65be2dc18eef127f142625a32ea866795a2bc6e54401c6f95e7b87d620e7271726efae92a1e7f65c95df88dc3177b4ce21afd189fb8d7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
905166ceffeecc1c1a8095bc6614a6a8

SHA1
05363765dd356bbba47512251f0abba15350bfc7

SHA256
82360a347f3890f6f1f906eae3468d6d4b17d91ec37eeb8e7a3e5397d752e591

SHA512
032f87aca090d1442a2e1b97c3266335ba908884e497215b96acfeec715321e8b2d8850af9f0673a199bad212e623ee48d674c937da151fae57a3b4252718388

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ae2330eb37b90ea7fa0189372374658

SHA1
5775f729a7b6df23946c93e19e19fd229702f8cf

SHA256
1c9f3a81e11c98dea55f5641993fbdca5ffea57d5fe11dc420c670cc96922e19

SHA512
c6770c5da2c1b83423b4c070442bfa4552a0b77c76c632465c40e644f93026ae47899f12af6019071ce31df4cb7cea9e2717ea8bb7c2d5f38f4d3d3d138df33e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5a9ad9b69da503a0f0605f87c003463c

SHA1
75d73cceb4fcbf40180dbffc2db86ee5460682c9

SHA256
677bc688d6342892522a6ac1a6704a5d456ac4d333b9a00484523de3c8dc4991

SHA512
f74932c31d25b90a3880834a3488055165d451d1c0ee9de423869c56e2ccd17c51c77ccfec18d94b1f1cf915ba5d220468e966b39cbea28ebf0dc626f44e35d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9deaa9cb7bef66ef1644019245dd14fc

SHA1
f0d1c56647751d521040adfc348d2031c7d2dac5

SHA256
3701d4c8e0a5fd643c655dc376f1298040f3bdb44a661bfac51ab49e4313d8d2

SHA512
bbf054638ea4000ffd86e36c07a47005b8db2d7ec09b6f9a275dd35a302727c10cb2c148f33102e114bc3853416b729ffaf95aafc36d98142ae9078d92b360fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
53940e08295f29539b0690a91f4ff97f

SHA1
032927c316ec61f3add6a3933bf03b3304a5aafb

SHA256
a376ebd5e3d60bb474177d2a7b9ecac0bf0ee3fbad31150d87e21813a9268398

SHA512
0efd39d8485554b22b8e670b45ae5265eb413e6ce4000b0d786a0cbd16d77b93e26ec159b07eef153a80d35cf2dd03c082a6bf4ec0cf3804ef3f0d9a54f61ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d3acc292b8f391558387a777c268f26a

SHA1
28889370ff121af0600a36ca8a273c575aa2bb27

SHA256
6a8057d29153603d049c42b2498e08027b24ecf4268cfed440855656ad93ff07

SHA512
47f261c6c1732697a3926d07d96a435817dfa91760008cff998c430a19f9a54251be62d6955d0b5aac7e2e1c51e7877fdbd662c9ba3958dd4881cec1509c4e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5a8e7261ca35cea337ddf9f2ecb27b54

SHA1
a96a33b50164d4822388c8a5b7f040e015d699f3

SHA256
b5a9bb00760f728c08c609ba1aedff3d12cd3072965a6f2de6ab62f5637f2948

SHA512
d1b96c6c3ebbc5c80670bca5d06865b4e1b173e4fd275855f0fc3fdfbde155f390664d965159562601c559ccbac48710bcad0a9bcc0eb7ee51e54d898c449d50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a56f54118edf5a92d3869f596efdf1a7

SHA1
a9975abc6c6ca50d142bd1d51770be23a6d920e3

SHA256
508204b077d63670ab4081f56ac9cc4016c35fb3aaf2d177d377a276fd466f76

SHA512
8faf088c9054165c8e9bdad8e3b7dbfef9e886bbcb8d63e85bfb8188bfad7f09180c8051a7ef95ffd15890722ad21ca329fa5646608080b9b490683dfe550e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
559cd05ddf07d6c542ee14f4a808b33b

SHA1
e4e2a19cb4195daf012a6947a2ac794a177172f1

SHA256
49966a9531c4fb462910d39dbb2e3b54e3636f6160cfd9bc53525d76bc2ff6e0

SHA512
c49ffd3b61c4ad213cc8904cc65f49808a1b7b4330df3dd1d4158cd56c782a7a0cc990fa15969dd32d65d73f9ec814adbc881c5a835a3d711931b032aa2cddb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bcc53c6c2480d708043e7f442ab429f4

SHA1
b24f719fbf27dc1d110bba21da69051d4761ed83

SHA256
d69e27af3a4b8658c2142192672ce6b774e1992d0e54e0799a903bfdbae3d846

SHA512
00a413fe2375754e8eb07b63899513e2d44833d760d8c0fb6ac24ae1c8e5c65b5e9c9a1726a5d302b35368f3bca04a891d19728a2f7043b3cf02ea6f16a2f742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
65e0a9ee155f4d658b1662b104f4c556

SHA1
4eacd632386ada7449d1db2527ea5a4b8b08a627

SHA256
c32c0fada7f39873a4d88b655717dd0b73f21d02bc91f9e7ef946a774ac0f7f1

SHA512
cca7b722f354f229eead5232c83b8e1b5b1dc3e54340e6bb52b729de71fbdb0a6dbd14de931efbef1afae8e45950402eee713e209bf2f06ec7770f6746187b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ae658c6bfdfb52cd2e9f9834d576cd0b

SHA1
bc5dba1d2248ebaa0899b816754b739784868e75

SHA256
1bed7f6c9caa08bd8b9f54012bb430888aff7bc1ae0a52f8f0c92a30374302f5

SHA512
a3e27a3af0008ec389da59980b12f86fb3b14f9669e9f55236e85660080d800b953efca4549a98e01055674c94aed6ac971aa62beb41075882c302379a10e164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8ae1ce4147ec41f62bb81e036fd7a90a

SHA1
9b1e98bf4903fca682105097f83cfd5a247543ec

SHA256
d7433221d1a312c2a7069ac851d117d9e356607a8bc36c5b0c186220e789af83

SHA512
58621d8cd1090220ba21a8e083ba00733189517d23e345f080ad85bde4314590278cabe7a5bde233ff2d925dd38f6a12299e7410d05b9b81a2b25c16653ecc29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
08547475f9f41e9e9590ec87fd80b986

SHA1
9d643a197bbe31e77afbd1f7e2a4af89af39fdd7

SHA256
bdbe8483a5717d5c724fa391bff7f51d8fb430833878396ef18a6195a4d6a4da

SHA512
f1d48aa1780d4b93cff8f28c544474b676a20594c5462ae4dc6315f779c296d30f5a0c72113330a95eeb295f489057f096dd5c183ca154f47f5b55e8dc12cd65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
02d810ed60204af36ec3c74b3718ea42

SHA1
9a54a1888de83abc8a80d46aa4be94a7c92e067c

SHA256
c161391475d7f26474d2462e7339e8404f7b561fc6615d0c7cdedb625951e8f9

SHA512
7f25826e07574ef3c39b5c32f02701780918312fe5c60d9fe68de24ea59c9fce211a53681af03962cd8eb4e0facfae0873ed15d75ebee303911969fd075c5ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ae43b8732df1a91af989410276667210

SHA1
f00c7d15a0c71c7d00cb279db386f18bf1ef8832

SHA256
22caea9c0d53d67158e41f287fb8bcfe8eb86ed56eab5cee5241325b2e03993f

SHA512
fbab0dbd7fa1997d669763413d6f79e4ee08f5d0a9da6be5d177f401e44e38ee33617c1a8fb363ab9ca5aa951161be29cfbccab082bb6aebe822074e9144445d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5b564a.TMP

Filesize
10KB

MD5
8e005a6210755f668b86e774ce1aded6

SHA1
0347c1edef60486f33a82b1e0d241ae55c1fbc7c

SHA256
07efe94f586f5202042e4ce1c29a06e6bf64e854fc27a5175b89f7338bd5890f

SHA512
0e84c9d8bdb2184265eae91af5247abc0e0c7ede137371e03074f4ae9bb82d01dc468fdcfbf546d604190e70ad091d243396cde57de65c7cd58b608700ee3777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
1445af24348be8634319c42e998fd9fb

SHA1
4de56a90e82a0e283bb7e4ebe577d4937d71ba4b

SHA256
444b30d0e810c6b434205378a44aa1610e69ff6c30d9ec50704ef8f856561d10

SHA512
b372696fee45dc04709b963481bf6726b5e3a94ebd68fce15f5805e25d833e424e0c88a91e7c39acad07d530620feff3a36ab8b4ac72ba1b22bcf8afae688281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
f24a023eee06beb34bfa27fee13e095b

SHA1
bfb9a9bfad7081f3d4f4e2cb26a48f553fd8e2d1

SHA256
4539f93a32b15a00456fd33ec647b989e56dbfa5b0cd4c3d2df015104d296001

SHA512
fde7d8f2063108fc973dae564aa8f3016e14edd7d1305ffce05c00cdc635dea9fcfca9dfb499079f7e96ebf2bfd77a9c0f36c540d9aed4ea91463afa728624a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
94cc16e9e91a395561641525ed28b380

SHA1
7b92f48d113befcc90d5220a42795f68a99ff7ad

SHA256
786c25feb9c218b42d790065d1c29282497348d3e39639b8b24895b40b74e346

SHA512
635bb9084f21156f138122abee4b37035c9cdb809f74824e0af733e5847e697484a2f1d446d421e27112c481dece765fe816dadad475ee6f1f27f02cc17db7f2

Download Submit
C:\Users\Admin\Documents\ResetRename.xps.id-64D63081.[[email protected]].ncov.ANNABELLE

Filesize
2.9MB

MD5
208f199c1ac4cc888c7ccfa6bbc4e91a

SHA1
d61a838b1935506df39545aeb278c2261285e018

SHA256
3b1f3cccda33b2e5caecc1022fbd379b4a6b2661511db0ee091e5ecc832292c1

SHA512
336f9fa2c99cbd9d23773ceae476e4e0778d54cee344da8d53e1f973c7d96729a3cffae15c5498af6cbea5a916529bb2f0e765ae5fca4ce29fe95de511518395

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\7ev3n.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 71266.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\crashpad_2212_VTEXCIWAKUNIVDQS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3616-407-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/3616-388-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3616-6845-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3616-21238-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/3616-408-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8356-25329-0x000001D9B0A40000-0x000001D9B1A34000-memory.dmp

Filesize
16.0MB

Download
memory/8356-25369-0x000001D9CC1E0000-0x000001D9CD76E000-memory.dmp

Filesize
21.6MB

Download
memory/12772-25361-0x0000000000D00000-0x0000000000D6E000-memory.dmp

Filesize
440KB

Download
memory/12772-25362-0x0000000005CB0000-0x0000000006256000-memory.dmp

Filesize
5.6MB

Download
memory/12772-25363-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/12772-25364-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads