dharma | hxxp://bing[.]com

Analysis

max time kernel
297s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 18:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://bing.com

Score

10^/10

dharma floxif backdoor defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>SDHhXJsfSrQ+MBWGGngKTSyj+naGLCvNQ+kKsJTnquSS9hhBZT0fXAhgZzcKMBra0iWMORZ3wpVbyj890r6LHM/yRUaxIyTLbYmzxuku/nZ+ikcT7RZEZWudxLuSOuzBrhm9lSf6Fs5N29SmtXyTtueUg3QWWv5jb/Vi1TakqID2I00Y9IqscQgYw4H+eI0W431pWhWuQMBuk81nR0lyLXJPty5r+lIzRPW2Cvd6a7169Bh5COCcehno8Ei3QJ1sw4P38K0dveEdBy2XMX/ERUUPZJ8i1A+VdO/+k2bKT+5o77mK53+THdpVVzWp9DldZp521wJVu0Dd30yisVXfjQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>TuLnvoF+NSh7squL/v6oc3qreVtwb/Rm9yoxhb91QcizV6OLtj0/Cciy6DxwqsAEvEMC3vbhi1Hraggi8/ZCZ0I04xqR0d/nDUf7sjZg1kzXOktw4WxAZ56UgLYLkyTuvLTHQiTVQec5xNvE30HAo0PovdTsPxVqVUa0W4ztLogSZx+6xU+f0OEcbRM4b/wm9Pnw88c/uBOWst62yEEy1e03iANay4mOSGcDQCIPRQ4rh7+AeomZSBvRW6fteW1jKTZvBa8xedC+OPP9Rduo2/4WESmTThtE0A3dMlNhc00OtV8XciwGOHkH1hY9fRgnTWzMvFHkEPqBVi4Rb3bm8g==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>gLrKE5IshbZnMIvG5xpVWrWPrKO1nim1Hh+V9pwbFQ1F+SEPaHuk5jvAto+b+JtJkj/hAFqEHyh2KXuCQS7j5qb0tYZO/eLr97sJ4m1GLof4uC7ug8Gyu00dobi34xca1HowcGRPIS89Heo1S5KaVfytT/gvG0a9AdAIs0xkkofwmwL04FFBxgZYIoLdykwJCHIgO/mPFgtIpe5tsZM6hyxkPxk6PJgg5xCsLIHANgnDqL3y3cR3uDmJg1ia/q36bPFiaUCYuA4hpYwpEW42ZbR9fxF5pKyKbSgUAfUz2Qgm90XrcvDfNIFubq4JUJM9Pw1q638cqpb7DqZCfSL4MA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000f00000001b621-776.dat	floxif

Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5420	NetSh.exe
11980	NetSh.exe
27852	NetSh.exe
9856	NetSh.exe
5640	NetSh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000f00000001b621-776.dat	acprotect

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 28 IoCs

pid	Process
4928	Mabezat.exe
4548	Floxif.exe
4240	Floxif.exe
1888	Floxif.exe
2196	Floxif.exe
3200	Floxif.exe
2212	Floxif.exe
3076	Floxif.exe
1964	Floxif.exe
4764	Floxif.exe
4472	Floxif.exe
548	Floxif.exe
3012	Floxif.exe
4064	Fantom.exe
3476	CoronaVirus.exe
3048	Annabelle.exe
1044	CoronaVirus.exe
1708	CoronaVirus.exe
1364	Fantom.exe
3404	CoronaVirus.exe
21644	Annabelle.exe
21652	Annabelle.exe
7228	CoronaVirus.exe
5268	Annabelle.exe
11220	Fantom.exe
16572	CoronaVirus.exe
17252	CoronaVirus.exe
14532	Annabelle.exe

Loads dropped DLL 12 IoCs

pid	Process
4548	Floxif.exe
4240	Floxif.exe
1888	Floxif.exe
2196	Floxif.exe
3200	Floxif.exe
2212	Floxif.exe
3076	Floxif.exe
1964	Floxif.exe
4764	Floxif.exe
4472	Floxif.exe
548	Floxif.exe
3012	Floxif.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	raw.githubusercontent.com
138	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f00000001b621-776.dat	upx
behavioral1/memory/4548-779-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4548-783-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4240-796-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4240-799-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1888-802-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1888-805-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2196-808-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2196-811-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3200-814-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-817-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3200-820-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3076-823-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2212-826-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-829-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3076-832-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4764-835-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1964-838-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4472-850-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4764-853-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/548-856-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4472-859-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/548-862-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3012-867-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ui-strings.js.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ru_get.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-24_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-96.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_24x24x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\DeleteToastQuickAction.scale-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_selected_18.svg.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-250.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js.id-84BE3A9F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3752	4548	WerFault.exe	138
4576	4240	WerFault.exe	143
3888	1888	WerFault.exe	146
1136	2196	WerFault.exe	149
1092	3200	WerFault.exe	152
4264	2212	WerFault.exe	155
768	3076	WerFault.exe	158
1032	1964	WerFault.exe	161
4480	4764	WerFault.exe	164
4760	4472	WerFault.exe	167
2460	548	WerFault.exe	170
2352	3012	WerFault.exe	173

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 16 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
10144	vssadmin.exe
2940	vssadmin.exe
17724	vssadmin.exe
27880	vssadmin.exe
9992	vssadmin.exe
9884	vssadmin.exe
12024	vssadmin.exe
12000	vssadmin.exe
27860	vssadmin.exe
3084	vssadmin.exe
5448	vssadmin.exe
9892	vssadmin.exe
12008	vssadmin.exe
27908	vssadmin.exe
5624	vssadmin.exe
5596	vssadmin.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 206045.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 513379.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 237541.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 252171.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 771692.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 280057.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4500	msedge.exe
4500	msedge.exe
2644	identity_helper.exe
2644	identity_helper.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
2248	msedge.exe
1204	msedge.exe
1204	msedge.exe
4220	msedge.exe
4220	msedge.exe
1032	msedge.exe
1032	msedge.exe
1044	msedge.exe
1044	msedge.exe
2412	msedge.exe
2412	msedge.exe
4716	msedge.exe
4716	msedge.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe
3476	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	Floxif.exe
Token: SeDebugPrivilege	4240	Floxif.exe
Token: SeDebugPrivilege	1888	Floxif.exe
Token: SeDebugPrivilege	2196	Floxif.exe
Token: SeDebugPrivilege	3200	Floxif.exe
Token: SeDebugPrivilege	2212	Floxif.exe
Token: SeDebugPrivilege	3076	Floxif.exe
Token: SeDebugPrivilege	1964	Floxif.exe
Token: SeDebugPrivilege	4764	Floxif.exe
Token: SeDebugPrivilege	4472	Floxif.exe
Token: SeDebugPrivilege	548	Floxif.exe
Token: SeDebugPrivilege	3012	Floxif.exe
Token: SeDebugPrivilege	4064	Fantom.exe
Token: SeDebugPrivilege	1364	Fantom.exe
Token: SeDebugPrivilege	11220	Fantom.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 5044	4500	msedge.exe	82
PID 4500 wrote to memory of 5044	4500	msedge.exe	82
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 2928	4500	msedge.exe	83
PID 4500 wrote to memory of 4788	4500	msedge.exe	84
PID 4500 wrote to memory of 4788	4500	msedge.exe	84
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85
PID 4500 wrote to memory of 1072	4500	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://bing.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa38054718
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7032 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Users\Admin\Downloads\Mabezat.exe
  "C:\Users\Admin\Downloads\Mabezat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 432
    3⤵
    - Program crash
    PID:3752
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 400
    3⤵
    - Program crash
    PID:4576
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 400
    3⤵
    - Program crash
    PID:3888
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 400
    3⤵
    - Program crash
    PID:1136
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 400
    3⤵
    - Program crash
    PID:1092
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 400
    3⤵
    - Program crash
    PID:4264
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 400
    3⤵
    - Program crash
    PID:768
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 400
    3⤵
    - Program crash
    PID:1032
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 400
    3⤵
    - Program crash
    PID:4480
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 400
    3⤵
    - Program crash
    PID:4760
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 400
    3⤵
    - Program crash
    PID:2460
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 400
    3⤵
    - Program crash
    PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1840 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    PID:12852
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:684
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:17804
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:17724
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:12068
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:12212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16707799884560385261,8021505649169506613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  PID:3048
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:27908
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:27880
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:27860
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:27852
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:25696
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3404
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  PID:21644
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10144
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9892
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9884
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:9856
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:25932
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  PID:21652
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5596
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3084
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2940
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5420
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:25784
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  PID:5268
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:9992
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5448
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5624
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5640
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:25800
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7228
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:11220
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Executes dropped EXE
  PID:14532
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12008
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12024
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:12000
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:11980
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:16572
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:17252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4240 -ip 4240
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1888 -ip 1888
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2196 -ip 2196
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3200 -ip 3200
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2212 -ip 2212
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3076 -ip 3076
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1964 -ip 1964
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4764 -ip 4764
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4472 -ip 4472
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 548 -ip 548
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3012 -ip 3012
1⤵
PID:2520

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:17052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:12828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3865855 /state1:0x41c64e6d
1⤵
PID:25976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
743aabea045a8335f2a815b328f1fdc4

SHA1
cdc499b41cc847ba692be0372fac47583c3d484a

SHA256
7a14ca5f86273943e806ad27129239f7cfab7712786b2c7ea4b19eba424ed2f2

SHA512
56a95ec4f7a2d3ad71c03d8f63541333c0d58fd5fd4840dc6cf4f1444175b0839a7bd5c19a83eb106b29c2c2e2296992282bbba08f64bb4759033ef3a2f3788e

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
41db63039c8e72affe881a952f9f1b3a

SHA1
f599ad2f99d33053c32463c6d6745290ce647abf

SHA256
437d20cb966224b9ced0e858cd2cd6fbae13b9ca184425254b3685ae1340409a

SHA512
3990a58cd00227f4b7ec78bcbf2554a0a0f8dc6102c1bf43281e89dffa3c3ebddd3ee1ccc11aab0de132c15b21057ce096be15b437ea0d31efea5460b45e0e47

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
416670745dcaa402a91073cab037dc47

SHA1
26a9a4d40104ae1a76c92201d5eb81afb0ba8bca

SHA256
7a222d99527722d02439eb8e6ed985d4cc554043cedf7d782a139cf41a3acbeb

SHA512
877eab07c5892e46b103a7b0796cd3c78c4d122e0a050eb2fcfc0b2bfacd8941f796eae80bc0275b8ef99f8abcf1f679f4b71cb93516eff34fb937b126860f8d

Download Submit
C:\Program Files\CheckpointProtect.vbe.id-84BE3A9F.[[email protected]].ncov

Filesize
2.7MB

MD5
fcaf13f929082262bcd2b360d9b138e7

SHA1
c656e10c81b91abd6cd70f505f18b31fa106216b

SHA256
a0d97a65df6c0c17a9c6d5fc4d34cfdcd12e3b19f62850c30dea9f876c1b4f98

SHA512
7de7c8bac54471fff24c4f01916e7400ee57b2afff1c63da9b4e9106f896bc4b1f754ff6e984cf19a07d9dac5fa3d40228e9c2217fcd176a047526e8fffaae8a

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5caba19bfe24fbe5abbbe001560076ad

SHA1
b98ee55e5d7da79bb0e2acc6b92f7315dee3bdc8

SHA256
33a722be1c0979b795cd86358b58aaa876f9fda7428950c049141363f693d517

SHA512
d2640079767decdf05830dfd2af20ba1f834baf790e1567c4be98acc705ced801fec8e9f3e482ad7b2dbd7b9c026d153575c6bc88965f1330ac93be26e827cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b147adbd3b250050d217cef00ad80b99

SHA1
e84f9cfbf818185682c6b458d1fa2b9a332e30d7

SHA256
b9955dab36fde69e6320f418959e95ec70d286fe26d73bd71dbf659815c1443e

SHA512
4670eddea6cbcbdeac110c75d8a975b6a9f848194f3095d077c93025b3ef134319fb19aba0b31bdf3bdc1b87badc7fd0482a5dc004d3e84784931bbd6f1c752e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dc17d3c945c90c395229c075f3fb4963

SHA1
2cb048a5b170c767ceec7b80877801691e32c92e

SHA256
cc0b655851e898219c66f890fb351317450a3bbcb56db23a43e0d0737a94a0da

SHA512
98d2eaff90af03395a47da39d03e1cf2cd3ea06dffe61bc61203063d94f5279c9a7155792c6990c359bd24f640911cfa11f5d36bc423ae9c8f50482b02378b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
848B

MD5
bc8af802a6acf02417a16612b692e235

SHA1
4b073dc7b7a33bedca52335ddc73a8d8a2473164

SHA256
c72d34fc7f2b5e390669c59d711cda3bd71831ef7ae46d2f96e165bc238519ee

SHA512
a4bad4b1d761879d47e672341de784bfe290cdb01e135e58424b1572efbbf06f84d206aa1ea7b6629883eb7e6a4cfc1783f149ce26c8be56aeef761c0f44ce1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
591de491056d5ac2f01c611708d3e476

SHA1
dbc1591a70abb713e135aecf499d7f4749c21b12

SHA256
d8c4bec4d66db7ab0105a75e36943ebde3f1b419fdb3a465502f1aae5cfe4e31

SHA512
472553fb0eebe82df0933963ac4830c9f3d660065ae57782f04e8f98a43fd9f175862751f53e0613c2f0e3f57c02afa3870029d0ca02516f695674b7c22d8341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
68a8606e8785d7ac52bcd87af2cb8a55

SHA1
eec0d6bc9f7dc57229d74d9d50e1edfe3c09b77c

SHA256
39124dc810a8d8924ef579431d25903108910ed460f27ecdbf838da7242f9a2f

SHA512
00fce45685f746973da77b185bfaeb6177797a43d362735a4e7f534415e02c5ab75f38846fb920569b9949ced432eac7ad7ab98263c1f86d01ee47df56e3cdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6bc533a278e03613b8ad0c6f1355331

SHA1
80312fa81014f51573ef24f0b1f73fb7859345b2

SHA256
6ba137b98b32173d2768bf7d0599f0d3ccffae5e9a18d94387210db1a60b8e23

SHA512
d0a9ab527e04b32d83bba8a177d666a59a0be2ede5478d57c3d9520b13c57b39e682b0ee95225e6905eb67def48aa2ab8db880205a13af6b6293eaf02979a85e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb4c8be3e09923bee6ea8f47cd637676

SHA1
1298066157ac94ab7991e893c886078b9aecc26c

SHA256
80c30451f5e276ee639ece12a1947bc96202ba2db818d861a7676799f8e6eb36

SHA512
ec8d0095abdc9610618e8556ba52da1a424e9800f845ed4834f0444588ca1c8919ff1fbedfbce026dbf70d87c5d69803413901f684c23999314b15e89f476f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a6527758a8f7b83079a8ac24d568245

SHA1
f64a6894c56228fe35cb098ed76b322f350885a1

SHA256
a381a6abfb2eba7976840483039cfa0712b6ccab3abdf591f746cd3abf34b1e3

SHA512
fb6a1fb6c77cfb9a81b1d6a497b86522d927109f78e2484e47c6b145da937dc76dc039df196bb73738a6539dad4a05bc1e945fe0f3dfb9d93c4385621db7156b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43d83b9a70219d69f1d5ee0834efd81f

SHA1
91ecf23a909cc56e1062b97fd88a8511fd72b067

SHA256
1f5c39148658bf530de081b470b59586c1a1e411f0882afb7e44b001d8a0c184

SHA512
567c7f2b29b8743f6e49804dfd0d8bfaad40fce237eeaae1650e1d23bb3a9ed5683c9284b20fdc8ee6d03250234f53e9158b0f87ac4821016f92d54983c37ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
140f72bc1a22ec310e95632430c9169a

SHA1
686f7f6210807a7a104dba1141cfc1f02a866348

SHA256
19887044c299072bcd204bbadd59a946e1a5491bb6442e353ad87235c74a96a1

SHA512
3a47da1495cf716e38da3e2c974a6f171423deb75a2372f86538eacb3ba04aecad1e33d60041981984fb7db4f4f5ac8a8a288160121f3e9a9daec9eefe84a119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
cc17499f628474957f8c0350515c012f

SHA1
baf367f544603cf61e5c4b174982372bd8ae111f

SHA256
7cf67d6a69373a9fa2604cb2eea51241d82a98bc278c9215cc650a026caa0968

SHA512
0c9f0cf6a74539ef671dab9c0bc86200b10662c38f54af2827128292234c9d3b2bb51a868e12166981eaee12b4a677428154a7203466c295b53072bdd8cec5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfb33289464e25c50a5fb02ee66aaec7

SHA1
25328f79100250f8d658521635589c50384df4f9

SHA256
97a38cf8345c20ac6862cfdc8fa02d95306398e9116f414d4d804ae30464d793

SHA512
e8a01b720c49c27381a708957839a238f5e417a7303b7c628ed3fa55458d984bcbd4359c0447a8bd000ed6b6aec1cc1ad8bf36e0baca084568c7ea6fde6128f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b579d2cf98ac47c0d947dd37d8fabd8

SHA1
f9446459a04e42650aabd6345c47ea79777d19d2

SHA256
68b08576d3a756c5abcafa3e4683fa5bd9d6156d7be1b4fa00027e706df45dab

SHA512
30965b38d81f9a14fcd48fe9132158aa7f400d6a15985b58626176024b5426a8c00b0bd2798f4b759641401b1113321540f31d5574115630634d74b4276fb66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae41211df162fba85b09868ee9a2cbc3

SHA1
97ae4cfa921dc57976a0c6732258bb658f32f736

SHA256
f46522a8b20436d5daf8a9928622db952316ed9371888c1008ca8cc1d5dbbf17

SHA512
95f0e690009d9963de7b9d548d3733f47033c1ca62dd473c2994494ee01b6482b0fea616d013599781f26f29e579b27f16e32cd9544a7b1e6f7f8f841208fbc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c81c269260a050952644452e377c7646

SHA1
5d54f5a3e9358fbe3093673aacd2d5d1eb5ac413

SHA256
4a658c391287db92a71f84861cbaee19345d8c83307ace1d55c834e94150a6ba

SHA512
e652a89a748b675ce8ffd7071f919935bc395bcd004a0b92e5c2be7f9712368dfbb890e6b3986e71073c1cdb4c6d5d50fef6f8034ff6541672bba1045ea1c525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74e7570b33cd1a838bddb385b46a596f

SHA1
81b9a1e57c7538de95cd1c9e0fabbce250587d16

SHA256
61644bc015f53527cf64f7eca7bbbec9dd72394bf780906ef9d154245244b737

SHA512
573775605b9751cc827f1127a33ad1298ce15855678dd505abd397f68206c9b1f7a1c05229f29e13e2f7afb87ebcbfd994b8efc16431ae7ed2d0cb3e4dcc7eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
216548893bfc7ce8b141e7f542a4998a

SHA1
21a065ee70d05ab420a7bf6de3eefdc5358f3a5a

SHA256
414e197cc7f3afe4d9e861c951933e09468fa3bb6f66d6f851fd2a6dc59c3606

SHA512
a509e091c001a90a4bc67a80fc0b18dae377b629f72ef956b4a9a19ee674133b6dbbb738e13da9dfee1fe0a108898ebe4208596e1bd24c794a8eef180ec15592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
199da633ab430326b3282f2d5348eac9

SHA1
b140618eb6ad2990449109a88a9f13d94efae18e

SHA256
382fedf8379e23817978b8553b2c29699ba4dc9e323e85a7838a44fa1365767f

SHA512
ea1589ec027557bb4a1e8f4c4c3a087a8e3c35385b7e41a0a065f0480442ed962ee2d059d1bd8baea58a73c152cf7a0c2f690a9bcf9b6085ed1914fd624149dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
93add454b8fd01904280863d732e0a3f

SHA1
28cbbc6aec2e7b4927ea5319d1c0ff572721ba1e

SHA256
b9814220ab1f871ea873c3f6d7f7100dc6cd8b7c6b75eb9f93a6efddb243c9e7

SHA512
670420cc9e24b99f304beb01002ac9b8da9acf4fa1ebaa2ef3dae28a688e89efa94938288fdfbe6bde99e4e46dc28cd8e6c9e75f5156bbda91a5152d959ca853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f902cba50c5cbeb9cb4ad9d7eb2a4274

SHA1
1fc6c58ee0126471e841b33e61d6204405d12025

SHA256
ca88abb96cd6dd9966f3bde337efdd7c2be525e0bf0c94073e67c833f64b9309

SHA512
5b748b0b6ea029539af088f5d9e08ed901ae5941b670df5b77e6cc4c2406b37ddf3a5f8ed5933730b2ea8d3049c336c5f5372b04d0d8e3a729b0a79ea4538134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19c5f9aa0a6c90b2a6a5cfaab206683e

SHA1
8386aa1ef15458267c7724be7dca862c7c5263b6

SHA256
96748e7c13c889b3a1adbaf4aaf7a5862d9fb06d310085ac11ca82d0e2e2c40c

SHA512
4998868fb46edc7a850e81b289e5c4a8151b34d09dcf2380373b7b77f0f80deddf3db313e194c73ac6acfda7d5426d6e7a7c607e13777ea7798455ddead224ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1956fcf98b521daadc008db824aa4d8f

SHA1
67791583450128323e9ebf764fd2dac28f9aa965

SHA256
0376be479e95eb75ba1a2b148be2a51c86fd01da7903393648dfba88563fb651

SHA512
45e4a3f5499e4043ca51e82b366720212695bdf791a852e30702d315db26adab2ae280e8000fa188d150ad5dcf3f5ee5bdff9e5f361acd156c3d46e930a8ff9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d04b.TMP

Filesize
873B

MD5
0c502cfe94c23ee42ee8f65610534cf6

SHA1
53524ebbdd0e8ae262bb8d0cd56a4020fa262625

SHA256
bc0b92c3269762397ae6d635c16691548374b7c5954545ae91331dcc6bfe590f

SHA512
57900c72498a4aafe6342b1eb51613bc39bbe26ae15c2cde259d1b39d397e2f613ad7ab504fc088626882f8e88ff43c252b649730bce1e9df43b0dec147203ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0aa8e5c68f9c42bc2c155886ed881d51

SHA1
2ec8b4d0336ec493cd5e7da1f3d95d35053a0cc5

SHA256
a74c1984e5455b16bcd5e38e22d4b05d2472a8f764e80ff00cac2ba7b023c400

SHA512
2207d2e8337b00ad147792c8d106497839de6681e2cf60dcc301c0580179e87707a9e2a8b2f358566e23e848130f7288ea1d3b3bb1ed20a4bed19f9d8ac30015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2912a7876a4abab6a6bc0c9b63acf65b

SHA1
ec22083ed65f29211bb41273d4f34e9141ba296b

SHA256
8ad48719b4e192654cf95feb798795fe0ed73f29deef919440bf90891c47552d

SHA512
43d544e26248df4bca4ad754be80c2385019dea6d3a314672ec238bda542683da980ef3f29c175a3df7bf70da873d025f20213b568d80657e08512114a680744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ccd953afa2f7a9424b63c5a2eb1c84d7

SHA1
dd2600b1aeb547a84336326278f88a9ae965f738

SHA256
ea2f59fed380073a7befcc9e677176fa0ade77d306d28ef4cbc1f8afee16f926

SHA512
097fdeb30652a2d11b777b607b42604354fb38c84262bc6e32bfd5fff56e15a6f44251e8867aa8fcb463efdd07944de4d159da67b63be4e7e621082548bc11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\efcf424e-a5f5-4112-9002-013d28a03f0a.tmp

Filesize
10KB

MD5
08154661a0372c6069492b7e70a251fd

SHA1
71707a423166205374fd6090cc1e7534aa19fb3f

SHA256
24bd36a29f9f06d722f10830981cf450e5c101ee9bd1809273a3e6ebce00aaab

SHA512
2df8c1cc57518b959d6245d6f3131caee6ce7eb423f5b867b173a2938ccdc622634327d18536e7d32f162db0843b65e76305f830ffc2ef9a0c478007f838b83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 206045.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 237541.crdownload

Filesize
141KB

MD5
de8d08a3018dfe8fd04ed525d30bb612

SHA1
a65d97c20e777d04fb4f3c465b82e8c456edba24

SHA256
2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb

SHA512
cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 252171.crdownload

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 280057.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 280057.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 513379.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 771692.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/548-862-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/548-856-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1044-1184-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-8368-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1364-1186-0x0000000004970000-0x00000000049A2000-memory.dmp

Filesize
200KB

Download
memory/1708-1185-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1708-9069-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1888-805-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1888-802-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-838-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1964-829-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2196-811-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2196-808-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-826-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2212-817-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3012-867-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3048-9191-0x0000023943230000-0x00000239447BE000-memory.dmp

Filesize
21.6MB

Download
memory/3048-1183-0x0000023927C70000-0x0000023928C64000-memory.dmp

Filesize
16.0MB

Download
memory/3076-832-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3076-823-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3200-820-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3200-814-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3404-1317-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3404-9182-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3476-28891-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3476-1161-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4064-1027-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1025-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1149-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/4064-1148-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/4064-1055-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1054-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1150-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4064-1051-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1049-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1048-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1045-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1043-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1041-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1039-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1038-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1034-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1031-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1029-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1061-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1057-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1024-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1063-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1035-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1059-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4064-1023-0x0000000002540000-0x0000000002572000-memory.dmp

Filesize
200KB

Download
memory/4064-1022-0x0000000002420000-0x0000000002452000-memory.dmp

Filesize
200KB

Download
memory/4064-26774-0x00000000054A0000-0x00000000054AE000-memory.dmp

Filesize
56KB

Download
memory/4240-797-0x0000000000F50000-0x0000000000FC5000-memory.dmp

Filesize
468KB

Download
memory/4240-799-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4240-796-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4472-850-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4472-859-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4548-783-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4548-781-0x0000000000090000-0x0000000000105000-memory.dmp

Filesize
468KB

Download
memory/4548-779-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4764-835-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4764-853-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4928-710-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/4928-708-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/7228-6896-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/7228-9186-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/11220-9051-0x0000000002130000-0x0000000002162000-memory.dmp

Filesize
200KB

Download
memory/11220-9052-0x0000000002420000-0x0000000002452000-memory.dmp

Filesize
200KB

Download
memory/12852-26817-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/16572-9190-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/16572-9050-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/17252-9193-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/17252-9179-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads