dharma | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
89s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
20-11-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

liveos.zapto.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
tst
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y7B4RN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

TG@CVV88888

185.218.125.157:21441

Extracted

Family

lumma

https://quialitsuzoxm.shop/api

https://complaintsipzzx.shop/api

https://languagedscie.shop/api

https://mennyudosirso.shop/api

https://bassizcellskz.shop/api

https://deallerospfosu.shop/api

https://writerospzm.shop/api

https://celebratioopz.shop/api

Extracted

Family

redline

38.180.109.140:20007

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x001900000002ab29-89.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/1468-213-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral2/files/0x001900000002ab4c-274.dat	family_redline
behavioral2/memory/2260-281-0x00000000007F0000-0x0000000000842000-memory.dmp	family_redline

Redline family
redline
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2456 created 3344	2456	Restructuring.pif	52
PID 2456 created 3344	2456	Restructuring.pif	52

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4464	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 16 IoCs

pid	Process
5040	file.exe
1200	remcos.exe
3260	MajesticExec.exe
124	PctOccurred.exe
3924	pp.exe
3492	sysppvrdnvs.exe
2456	Restructuring.pif
228	clsid.exe
396	CoronaVirus.exe
4640	Restructuring.pif
476	surfex.exe
2832	Restructuring.pif
1604	coreplugin.exe
2260	kiyan.exe
4604	Cultures.pif
4396	probnik.exe

Loads dropped DLL 1 IoCs

pid	Process
228	clsid.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4248760313-3670024077-2384670640-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4248760313-3670024077-2384670640-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
6	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4556	tasklist.exe
2812	tasklist.exe
3192	tasklist.exe
2980	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 4124	1200	remcos.exe	83
PID 228 set thread context of 4940	228	clsid.exe	112
PID 476 set thread context of 1468	476	surfex.exe	119
PID 2456 set thread context of 2832	2456	Restructuring.pif	115

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.9aa3b2ef.pri	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\getParent.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\ui-strings.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Windows.AI.MachineLearning.Preview.MachineLearningPreviewContract.winmd	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-60.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsStoreLogo.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\selector.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-48_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCardPreview.types.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\DateTimeUtilities.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\ui-strings.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\concatStyleSets.js	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.id-487ED16C.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	pp.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pp.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2864	sc.exe
3144	sc.exe
2112	sc.exe
2308	sc.exe
3244	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coreplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cultures.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PctOccurred.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Restructuring.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clsid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	surfex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Restructuring.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiyan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
37288	vssadmin.exe
10588	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
4464	powershell.exe
4464	powershell.exe
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
4940	MSBuild.exe
4940	MSBuild.exe
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe
4396	probnik.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1200	remcos.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3492	sysppvrdnvs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	4363463463464363463463463.exe
Token: SeDebugPrivilege	4556	tasklist.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4940	MSBuild.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	4396	probnik.exe
Token: SeIncreaseQuotaPrivilege	2836	wmic.exe
Token: SeSecurityPrivilege	2836	wmic.exe
Token: SeTakeOwnershipPrivilege	2836	wmic.exe
Token: SeLoadDriverPrivilege	2836	wmic.exe
Token: SeSystemProfilePrivilege	2836	wmic.exe
Token: SeSystemtimePrivilege	2836	wmic.exe
Token: SeProfSingleProcessPrivilege	2836	wmic.exe
Token: SeIncBasePriorityPrivilege	2836	wmic.exe
Token: SeCreatePagefilePrivilege	2836	wmic.exe
Token: SeBackupPrivilege	2836	wmic.exe
Token: SeRestorePrivilege	2836	wmic.exe
Token: SeShutdownPrivilege	2836	wmic.exe
Token: SeDebugPrivilege	2836	wmic.exe
Token: SeSystemEnvironmentPrivilege	2836	wmic.exe
Token: SeRemoteShutdownPrivilege	2836	wmic.exe
Token: SeUndockPrivilege	2836	wmic.exe
Token: SeManageVolumePrivilege	2836	wmic.exe
Token: 33	2836	wmic.exe
Token: 34	2836	wmic.exe
Token: 35	2836	wmic.exe
Token: 36	2836	wmic.exe
Token: SeIncreaseQuotaPrivilege	2836	wmic.exe
Token: SeSecurityPrivilege	2836	wmic.exe
Token: SeTakeOwnershipPrivilege	2836	wmic.exe
Token: SeLoadDriverPrivilege	2836	wmic.exe
Token: SeSystemProfilePrivilege	2836	wmic.exe
Token: SeSystemtimePrivilege	2836	wmic.exe
Token: SeProfSingleProcessPrivilege	2836	wmic.exe
Token: SeIncBasePriorityPrivilege	2836	wmic.exe
Token: SeCreatePagefilePrivilege	2836	wmic.exe
Token: SeBackupPrivilege	2836	wmic.exe
Token: SeRestorePrivilege	2836	wmic.exe
Token: SeShutdownPrivilege	2836	wmic.exe
Token: SeDebugPrivilege	2836	wmic.exe
Token: SeSystemEnvironmentPrivilege	2836	wmic.exe
Token: SeRemoteShutdownPrivilege	2836	wmic.exe
Token: SeUndockPrivilege	2836	wmic.exe
Token: SeManageVolumePrivilege	2836	wmic.exe
Token: 33	2836	wmic.exe
Token: 34	2836	wmic.exe
Token: 35	2836	wmic.exe
Token: 36	2836	wmic.exe
Token: SeIncreaseQuotaPrivilege	2684	wmic.exe
Token: SeSecurityPrivilege	2684	wmic.exe
Token: SeTakeOwnershipPrivilege	2684	wmic.exe
Token: SeLoadDriverPrivilege	2684	wmic.exe
Token: SeSystemProfilePrivilege	2684	wmic.exe
Token: SeSystemtimePrivilege	2684	wmic.exe
Token: SeProfSingleProcessPrivilege	2684	wmic.exe
Token: SeIncBasePriorityPrivilege	2684	wmic.exe
Token: SeCreatePagefilePrivilege	2684	wmic.exe
Token: SeBackupPrivilege	2684	wmic.exe
Token: SeRestorePrivilege	2684	wmic.exe
Token: SeShutdownPrivilege	2684	wmic.exe
Token: SeDebugPrivilege	2684	wmic.exe
Token: SeSystemEnvironmentPrivilege	2684	wmic.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2456	Restructuring.pif
2456	Restructuring.pif
2456	Restructuring.pif
4604	Cultures.pif
4604	Cultures.pif
4604	Cultures.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4940	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 5040	2428	4363463463464363463463463.exe	81
PID 2428 wrote to memory of 5040	2428	4363463463464363463463463.exe	81
PID 2428 wrote to memory of 5040	2428	4363463463464363463463463.exe	81
PID 5040 wrote to memory of 1200	5040	file.exe	82
PID 5040 wrote to memory of 1200	5040	file.exe	82
PID 5040 wrote to memory of 1200	5040	file.exe	82
PID 1200 wrote to memory of 4124	1200	remcos.exe	83
PID 1200 wrote to memory of 4124	1200	remcos.exe	83
PID 1200 wrote to memory of 4124	1200	remcos.exe	83
PID 1200 wrote to memory of 4124	1200	remcos.exe	83
PID 2428 wrote to memory of 3260	2428	4363463463464363463463463.exe	84
PID 2428 wrote to memory of 3260	2428	4363463463464363463463463.exe	84
PID 2428 wrote to memory of 124	2428	4363463463464363463463463.exe	85
PID 2428 wrote to memory of 124	2428	4363463463464363463463463.exe	85
PID 2428 wrote to memory of 124	2428	4363463463464363463463463.exe	85
PID 124 wrote to memory of 816	124	PctOccurred.exe	86
PID 124 wrote to memory of 816	124	PctOccurred.exe	86
PID 124 wrote to memory of 816	124	PctOccurred.exe	86
PID 2428 wrote to memory of 3924	2428	4363463463464363463463463.exe	88
PID 2428 wrote to memory of 3924	2428	4363463463464363463463463.exe	88
PID 2428 wrote to memory of 3924	2428	4363463463464363463463463.exe	88
PID 816 wrote to memory of 4556	816	cmd.exe	89
PID 816 wrote to memory of 4556	816	cmd.exe	89
PID 816 wrote to memory of 4556	816	cmd.exe	89
PID 816 wrote to memory of 2204	816	cmd.exe	90
PID 816 wrote to memory of 2204	816	cmd.exe	90
PID 816 wrote to memory of 2204	816	cmd.exe	90
PID 816 wrote to memory of 2812	816	cmd.exe	92
PID 816 wrote to memory of 2812	816	cmd.exe	92
PID 816 wrote to memory of 2812	816	cmd.exe	92
PID 816 wrote to memory of 4000	816	cmd.exe	93
PID 816 wrote to memory of 4000	816	cmd.exe	93
PID 816 wrote to memory of 4000	816	cmd.exe	93
PID 3924 wrote to memory of 3492	3924	pp.exe	94
PID 3924 wrote to memory of 3492	3924	pp.exe	94
PID 3924 wrote to memory of 3492	3924	pp.exe	94
PID 816 wrote to memory of 4036	816	cmd.exe	95
PID 816 wrote to memory of 4036	816	cmd.exe	95
PID 816 wrote to memory of 4036	816	cmd.exe	95
PID 816 wrote to memory of 2808	816	cmd.exe	96
PID 816 wrote to memory of 2808	816	cmd.exe	96
PID 816 wrote to memory of 2808	816	cmd.exe	96
PID 816 wrote to memory of 4772	816	cmd.exe	97
PID 816 wrote to memory of 4772	816	cmd.exe	97
PID 816 wrote to memory of 4772	816	cmd.exe	97
PID 816 wrote to memory of 2456	816	cmd.exe	98
PID 816 wrote to memory of 2456	816	cmd.exe	98
PID 816 wrote to memory of 2456	816	cmd.exe	98
PID 816 wrote to memory of 3444	816	cmd.exe	99
PID 816 wrote to memory of 3444	816	cmd.exe	99
PID 816 wrote to memory of 3444	816	cmd.exe	99
PID 3492 wrote to memory of 2932	3492	sysppvrdnvs.exe	100
PID 3492 wrote to memory of 2932	3492	sysppvrdnvs.exe	100
PID 3492 wrote to memory of 2932	3492	sysppvrdnvs.exe	100
PID 3492 wrote to memory of 1340	3492	sysppvrdnvs.exe	102
PID 3492 wrote to memory of 1340	3492	sysppvrdnvs.exe	102
PID 3492 wrote to memory of 1340	3492	sysppvrdnvs.exe	102
PID 2932 wrote to memory of 4464	2932	cmd.exe	104
PID 2932 wrote to memory of 4464	2932	cmd.exe	104
PID 2932 wrote to memory of 4464	2932	cmd.exe	104
PID 1340 wrote to memory of 3244	1340	cmd.exe	105
PID 1340 wrote to memory of 3244	1340	cmd.exe	105
PID 1340 wrote to memory of 3244	1340	cmd.exe	105
PID 1340 wrote to memory of 2864	1340	cmd.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\ProgramData\tst\remcos.exe
      "C:\ProgramData\tst\remcos.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1200
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
- - C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe"
    3⤵
    - Executes dropped EXE
    PID:3260
- - C:\Users\Admin\AppData\Local\Temp\Files\PctOccurred.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PctOccurred.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 193997
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "JulieAppMagneticWhenever" Hist
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        
        Restructuring.pif y
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2456
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3244
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2112
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3144
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\3023024615.exe
        
        C:\Users\Admin\AppData\Local\Temp\3023024615.exe
        5⤵
        
        PID:10884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:11496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:11268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:11424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:11240
    - - C:\Users\Admin\AppData\Local\Temp\401215673.exe
        
        C:\Users\Admin\AppData\Local\Temp\401215673.exe
        5⤵
        
        PID:19584
    - - C:\Users\Admin\AppData\Local\Temp\1152414695.exe
        
        C:\Users\Admin\AppData\Local\Temp\1152414695.exe
        5⤵
        
        PID:25064
- - C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\Files\CoronaVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CoronaVirus.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:396
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3512
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:368
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:37288
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:10056
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:10224
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:10588
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:10392
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:10344
- - C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1468
- - C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4128
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 297145
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CorkBkConditionsMoon" Scary
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
    - - C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        
        Cultures.pif k
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4604
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
- - C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\Files\probnik.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\probnik.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic nic where NetEnabled='true' get MACAddress,Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:23300
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:8508
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:26112
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:10756
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:10916
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:11536
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:15640
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5720
- - C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe"
    3⤵
    PID:11904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:11748
- C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:20216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll.id-487ED16C.[[email protected]].ncov

Filesize
2.5MB

MD5
d1aaca06eb8ee884dc6d5210bf97a9ab

SHA1
21e87cd4e8854d560c1a84ecf944dcbaf98fd684

SHA256
5ac97830ae2c8abb70b3fb8a52cd14059a08970379eab7f9cdfaf3df00a447ee

SHA512
d0515133a09f2d15727cc2cf40dd8045bc61aebb8e3b643fde1e15e424080e6afe17d88de29f973f9959785cf9a585820b324e34463a40ab9a127ba2836cc00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\193997\y

Filesize
662KB

MD5
d6a0473754ad77650d88eaa94cf4bcf0

SHA1
d2123bf8b796fe6f76e570641037d9420b3f3c78

SHA256
355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7

SHA512
14d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2482120685.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\297145\k

Filesize
588KB

MD5
274fa8ecfc2b621adf29743ec211c821

SHA1
1e2b7a4ede9f310a41ec1bb20f9fc65e8c78cb09

SHA256
c7cc76e85d7cbad9f711037749c16b564f341f9891f201d3a2f3917fd02dec1d

SHA512
3465aaf70e0a66607c8119f4eacf4251a54b9b560f725db2daa9d1ca31610ab42b82ce193f03a7934f057d53a5508ae8cbc181aac72a74c5bfbe2ff2cc40383f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ak

Filesize
63KB

MD5
2078e604090ab3f34e7254584f5b5e18

SHA1
6c6923837538fe0516a7395fd114c6000da29fdb

SHA256
9b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7

SHA512
af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anytime

Filesize
14KB

MD5
34f878824965920ddf290ce15bafcd7a

SHA1
b6456e4568e35812b305c48b40ce0b49ec93474f

SHA256
11ab93b51d9586708b9be1b503369579cd97f7c5870e6b48a1145abdcfcec502

SHA512
0427f3cd29319f2da5899707f44485d518897ce3dbfbacc0c2ccb346c9c2d636f9dc527d52442fc6e824a120a2b312cca0cfc5e7523414601dcc57b8f289bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autumn

Filesize
62KB

MD5
452ec03a6dc9758ff5c0d17f9e55572a

SHA1
194df13d1dd92f3c986bb1b196eebf6e25900412

SHA256
bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3

SHA512
f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bs

Filesize
52KB

MD5
5383c87dff2feb9b2c8e93c4bed93e34

SHA1
1487faf6f6e098fd878f4536bb99cf8c628b12a4

SHA256
963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73

SHA512
af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dependence

Filesize
50KB

MD5
789c392f24a9026d1c1c6c77fc17e5ed

SHA1
d2bf2c815466d819814f0ea7b8082c6622e25c3e

SHA256
cd2343790ee7fc99da52305a3566e1ada92535e53f7fdf6e93a6b205b2e07d11

SHA512
82cc4aa698f946807755f09da549e9db378806e297ae743531b434f34a3fc543307040157818d4535a654eb76f0a2874de707c5992b21284c22f24f7159440bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Developmental

Filesize
96KB

MD5
3a466d81179d1a97930bbb1b7e953c63

SHA1
537d76ca2d7562f442219eb59bbe0b2a2ec6c6cc

SHA256
444bd68c2cd9fff6a2794653bbbe7d0a3fdf5511a925c7ab8315671cad264d84

SHA512
b582c47bdbfe6b652f21d6803ace180028074c923dbb9f8f0be4e82fadcd7829ebc106082652d2d29016da32f7bb3b55c165e77b76816039083038b011cd20db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entity

Filesize
75KB

MD5
116177ea561e297830d84e68e4851a28

SHA1
80545b33450655d3e5e7c055aace79a31eadd3af

SHA256
3570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446

SHA512
86e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe

Filesize
1.3MB

MD5
1de4c3cc42232c1e3d7c09404f57b450

SHA1
28adaa72fe927ade1b3e073de288e1b6f294d346

SHA256
131e2baac32f898ab2d7da10d8c79f546977bc1d1d585ba687387101610ed3b9

SHA512
580aae865d815236e1030b173b67dc7002c70cb82caf00953999174833ce22512a4276cae4357b81e0c44e83dbf22eee9713c1138db0887e6f83d72495255671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe

Filesize
12.0MB

MD5
1963ce8f3f680d344d195bc27449b9a7

SHA1
2e6003b291dd2ffde77487be166536f63c66c672

SHA256
46d936bdc8ae3c40d119eec506b3a8aef4f6b97d10207fe4768692c3e887d082

SHA512
fb628ec38dc1e477fd90059b7a5901b0a76b43cb3bdebab38f50d85657385668323a97206769ca73028c94b9ee053a483828ce0a56a032bed2c3f5848b7025a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PctOccurred.exe

Filesize
1.3MB

MD5
31f04226973fdade2e7232918f11e5da

SHA1
ff19422e7095cb81c10f6e067d483429e25937df

SHA256
007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512

SHA512
42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\clsid.exe

Filesize
581KB

MD5
ee38099063901e55eddc5d359f1b188a

SHA1
28bbb4fa1d8cb6fd3ca9c98b7a14127d2042fa5f

SHA256
16b4a4092e2e158ee058cc4daa69f61829872de92cc1167a0094cded388a5e48

SHA512
6c7b96c43dfd0bfea522177afa38944e67493e0ca9f1aed26f8f46c265e1d39953eefad6644d93201122665c91520628f6aaf81e91e5ffb78e3ca8fb277f8c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe

Filesize
1.1MB

MD5
9954f7ed32d9a20cda8545c526036143

SHA1
8d74385b24155fce660ab0ad076d070f8611024a

SHA256
a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

SHA512
76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
482KB

MD5
13095aaded59fb08db07ecf6bc2387ef

SHA1
13466ec6545a05da5d8ea49a8ec6c56c4f9aa648

SHA256
02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671

SHA512
fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe

Filesize
304KB

MD5
44e17821665477b21d6c50cee97c84ef

SHA1
4fc146790747758f49f1fd4375144f000099a6cb

SHA256
5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045

SHA512
ab98a8151b41b56d7e59c375541c366df2f83c01ee26a5d1f079f74fb69eac4d229df62d3900eb8db6fd8cae1e420c21b7b9b2b3a44a8b135cb6659b6b70b6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\probnik.exe

Filesize
8.8MB

MD5
62b9695de8a9804b9ea04b2a724ea509

SHA1
0c6708e1920ca916141f3972def42dcd9561a208

SHA256
fda5a3cad6c0b17feba517625f66e3585f668e5f341ae8a41edf7aadb98c8904

SHA512
a344d2cf6bb8708123c0c7d16a03af2b657ac4fd136e8888866206ac1b9f75e908851cdf65022b5e5ac5a9086b1695c04319306e63d81d23693211beb13eaab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe

Filesize
310KB

MD5
1f4b0637137572a1fb34aaa033149506

SHA1
c209c9a60a752bc7980a3d9d53daf4b4b32973a9

SHA256
60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648

SHA512
4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hist

Filesize
486B

MD5
01f1ebfab9f7716fd124ef8edd32a90f

SHA1
85a045dab05d4c1360f97f3e3d32679e844766c8

SHA256
379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80

SHA512
3f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keyboards

Filesize
2KB

MD5
648848687fe144ab2925ff056f85e839

SHA1
ad8601e28076e553bdce4b49e5585d193ce9f26f

SHA256
68340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462

SHA512
ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Medicines

Filesize
63KB

MD5
394e00f0b18a19021b82919b0953a251

SHA1
3dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9

SHA256
9d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1

SHA512
b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Metal

Filesize
872KB

MD5
df92f49798927e26d55ee2b2960ec575

SHA1
d5ebf4282b0211581ee8c045648344436a48cbe4

SHA256
3a5d45c801aeb5dea347a3d839fcc6b97ef05debb6610f6cfbf0f0f05f31708c

SHA512
f6cd8abddae95e994a1bdbc56ff8ca264251ef766c652cccd8ae86baeb295c625dba154c4213f656e01de56b4c189172da8bcd3b696b29c140ebb90d47543245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notify

Filesize
97KB

MD5
d2e87660657c72b7586229f0a527baa4

SHA1
df958a5f78afc064469f5962f63093f9ad3b9730

SHA256
52b2bc0e121550926e6d4192f33b3fea69c8ea3ada30fed7f2834329c0e9d937

SHA512
787b7dcfc8781ad7e91a10e8cf24693c5022f9384ab281bdc7f9dec5ba3de5caa6317a7dd72bbc2c2aa5b2253c4eea4d66cc84438851f322defc3cb26be003f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nsw

Filesize
86KB

MD5
3a101a4debc56430a71099bf04c80683

SHA1
810586a8643760928dc4eb225ee8289aa12fc1c4

SHA256
a56a2267d677e828f47d4b3f95e1d88b4ec2952c97774e1972e54435349da585

SHA512
b9f2aed5f0a0125d5e76bbc2dab86faf735b03b0e1acbc772bd3577a8aa9232d74eb6134f9afe515fa356c8650d0618bff49af209d1022dc13d44f289a8182ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pending

Filesize
90KB

MD5
06d0cfa8f4d5e2194e8f4f34ea2e494f

SHA1
b2b5aba05082694373c0af6441c023762b1a5f4c

SHA256
7918ec226697fdbe81d8d934ff91515561344749cf308f2c7844b419d9d261b3

SHA512
da32a3baf3ba9b23acd90defb7dae2f6507ced8988ec608d4d3373db403ef8fa773f94de8e2c3a62e9633025ebb13ee2c371382b4d5b50e8335506c4da79e31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Powell

Filesize
7KB

MD5
4ae2c64145fe81c75f62a1ac65904a58

SHA1
fd70229a1fcd534498c7179ca3a02abb6523a277

SHA256
315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37

SHA512
bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Previously

Filesize
12KB

MD5
19619c17bb54b094153087755699b293

SHA1
a05ae89e06df0ad98e972e8ae9fa10dc35daa040

SHA256
015ea0bbbb4beb4f7820695f2b11ee4881e235fae8eb81c050dd275881bc3c9d

SHA512
b9bcd33320cde7196f0ea22a6e929c12c41f21ff8698c5d8f8ee02472e470da4f61da037e98ae643239c3cdf1629f01e2c301d7c88ad5c91e206383b7799a663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ranges

Filesize
93KB

MD5
eb63265d59ea38ce60cfc60ea47a2685

SHA1
e109164d0a7282f5a7f7210a2853c8993fc55b69

SHA256
bab388ef94ebf24d7c86771f21506dcf898ba614b548d9c39470cf8494533187

SHA512
bb4cafe2438b7b2b1cfa43f35cf523157fb8b57da7293889f71b3e9620a8ff8c914fe687ecd8f90149289760e7e8fe7bfb9e9b9cd3616e25f88f90eb3dbe2ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remained

Filesize
94KB

MD5
7eb0c07b15f6891636b5b18e6c8782eb

SHA1
41f132b6db4d2b5253e91d84e927995a00e96976

SHA256
a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84

SHA512
688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scary

Filesize
333B

MD5
89be785636a2018988c85939e78a1e71

SHA1
b0fa7a0be48db5f3fe2ca030540afd81e11fa364

SHA256
506e3270f77d44bd51f4ca86f1769f4278205a2d829cde1c3b23210c9129fa2a

SHA512
21651852f31ee73811920b55cbc93070b98a321dfbfa02d5d897bcb6d706d2eb235c8a2787b93454606545d5f58efed6ac231f62120fc1e5c8c306fe1640db1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scott

Filesize
96KB

MD5
7e600368be6cc5c03b1bf613a36885d1

SHA1
c0cc74598ef38940fc48ccb01fa27e9b27e80e62

SHA256
0b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44

SHA512
b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shared

Filesize
64KB

MD5
4ed69d1a2f6cb1dd70a13b7e544f9401

SHA1
3b8ac5e3a81f3df6606fd8299caa6dda0ba4cb7d

SHA256
a3943d010f90ff967e0abe3e2337ed3fe4c7f998cab6d35b032061acc645b41f

SHA512
6374f4c98d07f1bcb54b50fe8c425d484e1c70747c0702ac3d6fb2ee5715f82b5bac03a9090c97eae574aeaf3f1d64eb628b4faf2e64ed08cea5368f1ecb889c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Statistical

Filesize
84KB

MD5
5822d1bc4305d9f19939768fdfbf4d31

SHA1
30949a77d5c66825c5255566a2c074142d114f04

SHA256
15ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7

SHA512
b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stewart

Filesize
872KB

MD5
121c1acb3a03bd31c6ae1e13db4469c8

SHA1
e1d7be7f98ad139a0a0db4ef4014af420915ff2e

SHA256
1ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d

SHA512
898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp12D7.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\While

Filesize
71KB

MD5
8d0730549c077df4608642def3a3797b

SHA1
70ff0d8c5a80918766cee21a944ffcf1a589c35a

SHA256
34c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c

SHA512
ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_britqnxf.i2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4248760313-3670024077-2384670640-1000\76b53b3ec448f7ccdda2063b15d2bfc3_b848c091-c5c8-484e-a875-d9344837e5ab

Filesize
2KB

MD5
1714dceb0a0221b9742b75e1b437b754

SHA1
0b49535d6ee5b56c71b17abfd6f5ae072e54e4f5

SHA256
e9582416d5a43ddefe5512bf6ec86dac7f258703bab7cef56e80d022ffdf8cb9

SHA512
9258c587150111b28de9f8914984e331d1b9c87e93807a0f81f30c2188791ffc0965735a5f534e9010b66c667ed12db44c7d6b53cd030722192757a417f6c91c

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
401KB

MD5
711d4b92926c5dbb4267a86d87b41121

SHA1
ad71b51d7cc6092abbb6861f89743b5517081fba

SHA256
73154a21f9aa792469cebb6c13398f275d9f44bc5407c3feb150d6ff9f8d644c

SHA512
cbf838c5d5f9d269dd273f61c1d7a3036915bd4a644ee25a90e870dfeaf312635b30812980e39ecd282eacee427fafc4296f8968450d73a407ebefa67cf4d4c6

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
0a4894b79bf87098fb66eabf5447fd05

SHA1
cb3b8186cb5cc15d74065d738a4eb6734930fef0

SHA256
5f2e1601dc8f84f6e6d1784663ff6e09b9131b888fd1604baf6d58720af897b7

SHA512
0fb0d394995fbbcabb536342fbc0bdd01a984d69427001e5e065fbd9e68882a812731bf501006bf6620e91c0c97ed19bd6fd72542f0e990824d0a44eb4655eb1

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
b53661f05a5aa05421563bc2e4582d33

SHA1
ea2b868e9df33b3a42e11628ca16ef5e80e388ac

SHA256
6bbb01e52f3a7d19487672eca39b8ca56e760de9772d85ccd523410b9c13ea19

SHA512
6679f82cd597c2ad212ebb66e26910cf09f9c4216bcb067883d185c9f8106297cf8bdccbdb879fe99cde0d1e48df851a828ef1dc4c59028be8848b9519b08b3e

Download Submit
memory/228-173-0x0000000000B30000-0x0000000000BC8000-memory.dmp

Filesize
608KB

Download
memory/396-196-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/396-6202-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/396-328-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/476-211-0x0000000000F20000-0x0000000000F74000-memory.dmp

Filesize
336KB

Download
memory/1468-238-0x00000000064D0000-0x000000000650C000-memory.dmp

Filesize
240KB

Download
memory/1468-213-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1468-235-0x00000000069E0000-0x0000000006FF8000-memory.dmp

Filesize
6.1MB

Download
memory/1468-232-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/1468-230-0x0000000005CC0000-0x0000000005D36000-memory.dmp

Filesize
472KB

Download
memory/1468-239-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/1468-236-0x0000000006530000-0x000000000663A000-memory.dmp

Filesize
1.0MB

Download
memory/1468-237-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/1468-215-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2260-281-0x00000000007F0000-0x0000000000842000-memory.dmp

Filesize
328KB

Download
memory/2428-2-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/2428-1-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2428-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/2428-116-0x0000000075220000-0x00000000759D1000-memory.dmp

Filesize
7.7MB

Download
memory/2428-115-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/2428-3-0x0000000075220000-0x00000000759D1000-memory.dmp

Filesize
7.7MB

Download
memory/2832-242-0x0000000000530000-0x000000000058B000-memory.dmp

Filesize
364KB

Download
memory/2832-240-0x0000000000530000-0x000000000058B000-memory.dmp

Filesize
364KB

Download
memory/2832-231-0x0000000000530000-0x000000000058B000-memory.dmp

Filesize
364KB

Download
memory/3260-68-0x00007FF6C6BF0000-0x00007FF6C77F5000-memory.dmp

Filesize
12.0MB

Download
memory/4124-5368-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-24884-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-45-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-48-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-46-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-161-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-244-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-5287-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-47-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-247-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-160-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4124-22935-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4396-17658-0x00007FF647270000-0x00007FF647BDE000-memory.dmp

Filesize
9.4MB

Download
memory/4396-24543-0x00007FF647270000-0x00007FF647BDE000-memory.dmp

Filesize
9.4MB

Download
memory/4396-6203-0x00007FF647270000-0x00007FF647BDE000-memory.dmp

Filesize
9.4MB

Download
memory/4396-25152-0x00007FF647270000-0x00007FF647BDE000-memory.dmp

Filesize
9.4MB

Download
memory/4464-147-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/4464-155-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/4464-146-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/4464-145-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/4464-144-0x0000000007990000-0x0000000007A34000-memory.dmp

Filesize
656KB

Download
memory/4464-143-0x0000000006D50000-0x0000000006D6E000-memory.dmp

Filesize
120KB

Download
memory/4464-134-0x000000006F8C0000-0x000000006F90C000-memory.dmp

Filesize
304KB

Download
memory/4464-133-0x0000000007750000-0x0000000007784000-memory.dmp

Filesize
208KB

Download
memory/4464-132-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/4464-131-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/4464-130-0x0000000006250000-0x00000000065A7000-memory.dmp

Filesize
3.3MB

Download
memory/4464-121-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4464-120-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/4464-119-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4464-118-0x0000000005940000-0x0000000005F6A000-memory.dmp

Filesize
6.2MB

Download
memory/4464-148-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/4464-117-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download
memory/4464-149-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

Filesize
68KB

Download
memory/4464-150-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/4464-151-0x0000000007D20000-0x0000000007D35000-memory.dmp

Filesize
84KB

Download
memory/4464-154-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/4940-182-0x0000000004F60000-0x0000000005506000-memory.dmp

Filesize
5.6MB

Download
memory/4940-246-0x0000000006580000-0x00000000065D0000-memory.dmp

Filesize
320KB

Download
memory/4940-245-0x0000000006090000-0x000000000609A000-memory.dmp

Filesize
40KB

Download
memory/4940-180-0x0000000000180000-0x00000000001B4000-memory.dmp

Filesize
208KB

Download
memory/4940-184-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/4940-183-0x0000000004A70000-0x0000000004B02000-memory.dmp

Filesize
584KB

Download
memory/10884-25156-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/11748-25203-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25195-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25175-0x00000000057A0000-0x00000000058AE000-memory.dmp

Filesize
1.1MB

Download
memory/11748-25178-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25189-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25213-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25211-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25209-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-28047-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/11748-25199-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25197-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25173-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/11748-25193-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25185-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25181-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25207-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25205-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25201-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25191-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25187-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25183-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-25179-0x00000000057A0000-0x00000000058A9000-memory.dmp

Filesize
1.0MB

Download
memory/11748-28046-0x00000000059A0000-0x0000000005A3E000-memory.dmp

Filesize
632KB

Download
memory/11904-25167-0x0000000000D40000-0x0000000000E9E000-memory.dmp

Filesize
1.4MB

Download