dharma | hxxp://www[.]google[.]com

Analysis

max time kernel
372s
max time network
375s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 19:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://www.google.com

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (530) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CoronaVirus(1).exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus(1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus(1).exe	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus(1).exe

Executes dropped EXE 3 IoCs

pid	Process
3348	CoronaVirus(1).exe
41648	CoronaVirus.exe
41660	CoronaVirus.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus(1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus(1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus(1).exe = "C:\\Windows\\System32\\CoronaVirus(1).exe"	CoronaVirus(1).exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus(1).exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus(1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
214	raw.githubusercontent.com
215	raw.githubusercontent.com
216	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_22E1B71ABFD945579932FF04D16D00F4.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_22E1B71ABFD945579932FF04D16D00F4.dat	utilman.exe
File created	C:\Windows\System32\CoronaVirus(1).exe	CoronaVirus(1).exe
File created	C:\Windows\System32\Info.hta	CoronaVirus(1).exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_contrast-black.png	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-48_altform-unplated.png	CoronaVirus(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	CoronaVirus(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSBI.TTF	CoronaVirus(1).exe
File created	C:\Program Files\7-Zip\Lang\id.txt.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdm.dll	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\ChartIm.dll	CoronaVirus(1).exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\ui-strings.js	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	CoronaVirus(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\ui-strings.js.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\awt.dll	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotsHubApp.BackgroundWorker.winmd	CoronaVirus(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\Example2.Diagnostics.Tests.ps1	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner.gif.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfc140enu.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e1dabada.pri	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-100.png	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	CoronaVirus(1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml	CoronaVirus(1).exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js	CoronaVirus(1).exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.id-C409C08A.[[email protected]].ncov	CoronaVirus(1).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll	CoronaVirus(1).exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\CoronaVirus(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus(2).exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
12772	vssadmin.exe
9872	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Spanish\Attributes\Language = "40A;C0A"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_deDE_HeddaM\Attributes\Version = "11.0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1040-110-WINMO-DNN\TextNorm	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1031-110-WINMO-DNN\Lookup\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM\ = "Microsoft Mark - English (United States)"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_PabloM	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\LocaleHandler\ = "SR fr-FR Locale Handler"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_HelenaM\Attributes\SampleText = "Has seleccionado %1 como voz predeterminada."	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_itIT_ElsaM\ = "Microsoft Elsa - Italian (Italy)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\AccessibilityCPL.dll,-85 = "On-Screen Keyboard"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\WildcardInCFG = "Anywhere;Trailing"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_PabloM\Attributes\SayAsSupport = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\PreferredAudioRate = "16000"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1031-110-WINMO-DNN\Lookup\ = "SR de-DE Lookup Lexicon"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1031-110-WINMO-DNN\TextNorm\ = "SR Engine (11.0) Text Normalization"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1041-110-WINMO-DNN\Autodetection = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1041-110-WINMO-DNN\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\Culture = "en-US"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_PabloM\ = "Microsoft Pablo - Spanish (Spain)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\es-ES-SW\Attributes\VAEngineType = "SW"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\Generation = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_PabloM\Attributes\NarratorTuned = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_jaJP_IchiroM\Attributes\Age = "Adult"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1041-110-WINMO-DNN\Lookup\ = "SR ja-JP Lookup Lexicon"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput\DefaultDefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_deDE_KatjaM\Attributes\Language = "407"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\Attributes\Name = "MS-1036-110-WINMO-DNN"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\Models	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_jaJP_AyumiM\411 = "Microsoft Ayumi - Japanese (Japan)"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioOutput\TokenEnums	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-3082-110-WINMO-DNN\ = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_itIT_ElsaM\Attributes\Name = "Microsoft Elsa"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\Background Adaptation = "0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\Attributes\Hypotheses	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1036-110-WINMO-DNN\LocaleHandler\CLSID = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_frFR_JulieM\Attributes\Vendor = "Microsoft"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\it-IT-SW	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\ = "Traditional Chinese Phone Converter"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1031-110-WINMO-DNN\Attributes\Desktop	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\de-DE-SW\Attributes\VAEngineType = "SW"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\it-IT-HW\410 = "Microsoft Speech HW Voice Activation - Italian (Italy)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_jaJP_AyumiM\Attributes\Age = "Adult"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\VoiceGender = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_deDE_KatjaM\Attributes\Version = "11.0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_frFR_JulieM\VoicePath = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Julie"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_frFR_PaulM	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\de-DE-SW\Attributes\Language = "407"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-3082-110-WINMO-DNN\FEConfigDataFile = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\c3082.fe"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1041-110-WINMO-DNN\Lookup	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1040-110-WINMO-DNN\Lts	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Name = "Microsoft Zira"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-3082-110-WINMO-DNN\Background Adaptation = "0"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_HelenaM\Attributes\Language = "C0A"	utilman.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1031-110-WINMO-DNN\Lts	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_deDE_KatjaM\Attributes\Gender = "Female"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_esES_LauraM\Attributes\Name = "Microsoft Laura"	utilman.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CoronaVirus(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus(3).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus(1).exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe
3348	CoronaVirus(1).exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeDebugPrivilege	1944	firefox.exe
Token: SeDebugPrivilege	1944	firefox.exe
Token: SeBackupPrivilege	17404	vssvc.exe
Token: SeRestorePrivilege	17404	vssvc.exe
Token: SeAuditPrivilege	17404	vssvc.exe
Token: SeShutdownPrivilege	6132	LogonUI.exe
Token: SeCreatePagefilePrivilege	6132	LogonUI.exe
Token: 33	13364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	13364	AUDIODG.EXE
Token: SeShutdownPrivilege	6132	LogonUI.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
1944	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
1944	firefox.exe
24132	OpenWith.exe
6132	LogonUI.exe
11960	utilman.exe
7684	utilman.exe
6132	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4608	4392	chrome.exe	84
PID 4392 wrote to memory of 4608	4392	chrome.exe	84
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 2876	4392	chrome.exe	85
PID 4392 wrote to memory of 5096	4392	chrome.exe	86
PID 4392 wrote to memory of 5096	4392	chrome.exe	86
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87
PID 4392 wrote to memory of 3228	4392	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xd4,0xfc,0x100,0xe0,0x104,0x7ff91894cc40,0x7ff91894cc4c,0x7ff91894cc58
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3664,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4724,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,17301118437861224913,2212666993190397158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4256
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aadb15b2-707b-4366-8c9b-8046d9ed4e22} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" gpu
    3⤵
    PID:1128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f6a5ab6-743c-4fca-a72a-cccc3ecd1a2f} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" socket
    3⤵
    - Checks processor information in registry
    PID:1432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 1476 -prefMapHandle 3164 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5252bf0-0a13-420c-b213-cafd05d39ddd} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb87c3d5-ea15-4ccd-a85b-ff38d1ecede7} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4832 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f204fd57-b879-4a0d-9bb9-75b4523a4052} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" utility
    3⤵
    - Checks processor information in registry
    PID:6080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5264 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53bd0ac0-e1b8-479e-a96c-73ab557e2c73} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a11b255-ecf4-48b0-8f5b-3f19f674b536} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5404 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9530f76-05e3-4ede-af86-0625f5c6e458} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 6 -isForBrowser -prefsHandle 5604 -prefMapHandle 5884 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba02ef2-f552-4171-86ee-f22ca2f83e40} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:5444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 7 -isForBrowser -prefsHandle 5584 -prefMapHandle 5288 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060f6272-5d22-465a-8f9f-3347483fbcdf} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:2200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 8 -isForBrowser -prefsHandle 6096 -prefMapHandle 6284 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e843be-d4bd-40f2-9e4c-bee6bff4ceb2} 1944 "\\.\pipe\gecko-crash-server-pipe.1944" tab
    3⤵
    PID:532
- - C:\Users\Admin\Downloads\CoronaVirus(1).exe
    "C:\Users\Admin\Downloads\CoronaVirus(1).exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3348
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:6064
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:320
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:12772
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:17008
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:21112
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:9872
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:17320
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:17348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:21460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:17404

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:41648

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:41660

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ebce401510a34762a8b8274076edab34 /t 17324 /p 17320
1⤵
PID:17824

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0a8a63b2b8ed48238f43c362bb77f6fc /t 17368 /p 17348
1⤵
PID:14200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:21932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:24132

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:18344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3fb7055 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6132

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:11960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:13364

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-C409C08A.[[email protected]].ncov

Filesize
2.7MB

MD5
aaa64764197567ba373259db9b2d0855

SHA1
f904a0d41a5327a667e402121d637664011546c2

SHA256
28db453bfabe9a14da6eebb0e083ae794703a5ad3b0565fb6a4d65ba66e9f8a7

SHA512
933517742256041093941d9b7b311ed46bbacc1c64bd619bb1b0562a36474fec20f00d58938b1b744c887afcb3f3e18d760bf63703b82ad1f81036931fb0e8bf

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1045960512-3948844814-3059691613-1000\ReadOnly\LockScreen_O\LockScreen___1920_1080_notdimmed.jpg

Filesize
710KB

MD5
cff42b03256883378c0ab2218cb42ed8

SHA1
54de757b07efb69f80296ee6f50af55e9b84ff5b

SHA256
0ba1991c10e6c1cb4307487dd450bd44c3b2013c91624ccc4f898054c3f78615

SHA512
5e1e7f63d603990174e70ebea6db80d2b093291397a62ebe877d8a0141a500bbd06236d09cf02753f583535eb43aeaa06da253ce631b1dd0faf551f98e72f136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5307e021-4baa-47b5-9188-ca844874e719.tmp

Filesize
116KB

MD5
9ae851d96c025d49d1aa6e041cb7c758

SHA1
a8a88ea0c4166cb7b85458d5992be4203e79df20

SHA256
fca682bd2dbfc8883289a187b881a483caa42faa1c996c2c9f1d8ad0606f54c5

SHA512
ceb3bd8e1e860b6319b431f9b9c54c27e7c5cd6c4913c844188b4e5c7210ce868769a8c0e8d8fc286517dec1a36a695fcd8006828ff1fcc42a44b1b1c1033d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
03990e3d9d35c44827171491df4fcfd0

SHA1
50e4051dbdec4982563f7d657563db2550444e58

SHA256
cccab9fb80fc361ea8208bd9ae372a90f8c1d3d4f118e7eeb02604bf99605867

SHA512
b95468d150efd1410f7ee1a0b7bf40f3ba7c0278fd8992c143c036dd04f9439ce95b3e83118bb714db032dfd1fd7ab4f8e8d6f5b250a4521ec857c967c1a7939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.8MB

MD5
f51ad928f327bb93d78c808ec3bf3f39

SHA1
8b78f048ea6d0680a70acd31e7a31513873c0a80

SHA256
33caccb027f74d7100f07462a4a8725b2bc7569bee261d03da67389653d46089

SHA512
943e08dd2954d62e833bc4c8928d8c7a265466a10477229c2d45555338eea499c8cdd07daa8bec895008349496f965b65654ad032274e6d333ef87b0f75e095a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
7e20e5a3e1ec908781b517b14a43750f

SHA1
7b424134ca60afcdb975f2311ac00e500755abd8

SHA256
b691f4ed1a3f7ffa65ac95a23384ed2636d76821fae7633581e7fcd4c9fcac16

SHA512
5c1bb7ad6d432c01b48bbcd74eda354c2e00a004b934d95e829c767eb074ca89e2924e0eff18b0d0a508e9c7f7e6db3b0b8b2e19dd36cf333e895b2913a8636a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3

Filesize
4.8MB

MD5
c4e93d007185bdb7579cfd4f6ee31f63

SHA1
7c60640ccad87fed18ce200fd33c40fdb892dae0

SHA256
1d81881d3de97d4c6f9899fd3fbf021bc26bba97a210dcf8b0b6b8731f843041

SHA512
5f3f0f6d22932752a4bbad2f390d48f106e05e5b668cad60b6bd963983c8f353998e585365bc932a9f7d6bb77e84d0cdd2437b4d901a1ead5567c7f6f8e21a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4451eb678f80fb74a0fd89319e2785d4

SHA1
54f59acbf508c7435ba2b7fb5a02d1a413a5858c

SHA256
790f7e1f9ee2fd75e3f46c0e8020b3c5d7085c85eef5840543a27659a659d220

SHA512
98ffbde897e63bec2d20062e569eb941f36b134d09c5037b63c2b2bf0735740223e160c689852db6d72c42524d032fd55b41d5bfacde1639897de72ee1a5e8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9a2afee6414beebcba5c63517b3510f0

SHA1
6491cb70bbfa135c746b0fe25918d1fe77061a30

SHA256
95791a5ec73254f6ce00d42fb43e9fc100842c74bcdc8946f588a8e2c0bdbbf0

SHA512
33c12166388dc9707b257cbb97b69c57e03363205ca4fbe12ee41223f67a102352fc009d09df6033a7083566b32f797401880dbab5222a4cc7811aa6037b55b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d8e263bc389cc53a325816e0b4b1971

SHA1
d9b6abd7f152eeac3151101424e11149d4994865

SHA256
26b26e41b5a9ef71865c4ecf15c2e3ec2891580fe0307bc40fb886dc4f9ec548

SHA512
b7334046d7adb22eb5e6a6d9d7a82875148e4af9a7c9a11bf27caa09261d8ec703b5d761ddbaeb7b5f300cbad035a405523dbf976470ee31179b0e1388df70cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
ef0d7682b741da75158048ef601e5d7d

SHA1
40d6e9b26601817005a9b41b0e0af3deec52eb43

SHA256
5d2bd7c46395c33a97919aed1a193b93f198bf59d2a98ecdc6e6d093d544105c

SHA512
07fb920a4559bb84ea4402a9da88b25919af38a60365344b8c698838627988e721897e5eaf56f789b4d66124303af87534490df0b8a835a337b830b871affc76

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\startupCache\scriptCache.bin

Filesize
9.6MB

MD5
2b1264fab1c342433b8dd9cc9b5697be

SHA1
b8e11f5a8e2dc44481cf9a67c3eb95c75ced850e

SHA256
5f6e8849994c75511fce6070c2af547c770741426c800e7bb2d5c7aa23b323d8

SHA512
13c8c6fddfdb2262a7b955f1d8921d7282defee14e2bfde8c4aeaa450901c9b6554241bb41f37c8764d2c229427a573f8d0b6ef45fa67b63d95110eae17278d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
13KB

MD5
7f480be5f510fcabb8929e7e5c43076a

SHA1
65f45c58744e6aa1758ed66829be00ea4affb3f9

SHA256
21db4f5ce3723a0861abe37f217aa6b7027b429858eefc3a2afce4513ce9ea06

SHA512
b6d2fa9fd7552452f65923a275a47cea0a22896123b6b6c12432b7e3ee242f6abc51ed96b08fd7ad6ef42c2a7ccb3921304a6603aff861b5e91b3ad58a965e55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
7KB

MD5
48179f7859aa45dacdfba45ead692b6d

SHA1
4d68a030bca13e87183b61a7160bdf8e6d51634f

SHA256
ff9966b550570bb6cdee3ef67f5d87d5beaf5b8641318a5c46a2a7305c1a2c29

SHA512
325e8e48f31f59504aa3da1dd0473d26bad8bc967e1c30fcdc6d5e2888b1bbbb6ad9f3233135fd033fa4fc093b0761ce40e199f563a3d5a051ad7f97099b45b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
825226f32a0ee46510967e9f370e7074

SHA1
4b36e448efc52b5ec45f997072eb38ae109ec74c

SHA256
ae9d563d643444deb2da59be0aca23e332fb4484c47b231f06323aea082daa23

SHA512
6ca8d8343792f2914eddefb5878226cd501643eb45babc9bc78c29035cf7d6be74cc524dd4ac7b931b645b26fc95e97bd04d83831c6f77895a1bbffd7ad541d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
244a92ae326f0c72ffa9346c024ac444

SHA1
b1ec36c864044daa4a742bfbc1967c119ae05d10

SHA256
32c4ede2e4e4cdc412ec4e43bc4fbdd4cfc23875c4bea3e4206e73107a4c7033

SHA512
b648d79dea442fa179f11be1e1cdeaa4266163bea63860abb2ffe5116c974ae90492ebc9b5dcbd1fb53d7db7989a628c8bf4099c70e5851429b6c985684ec9fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
aa3218c7272f9374744a0c6cf252f0da

SHA1
0731e9ec9390cde1191d7dbd348c81fceb456913

SHA256
6ac1497cb7a12e9c066cb4aeb08fd71ff5b5b07ac9c489c8c85d4a493385249e

SHA512
05bb93a50e33a95ac3b2737f80f12f2bd157dee93609f664981e621508b00ec54d267b11e0818ad41dc26e4ddd8acacefa00386d78cd1ed0f3824b669cd52696

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\5777778f-e9c4-4910-95a0-1799fc6da67b

Filesize
26KB

MD5
a302c5b60a2751e7e4eea48b6f6f0424

SHA1
7e5b90ea5146b21c5192cd4ad07bb379ef941a7a

SHA256
41ea48b5c189712ae5332fddf8321877868660addfc459eeca162cc71d532fe7

SHA512
07d8bb972e8829d8761ea3cf9efdf70d3399688a76b3b7f340deb59cd955995e2b34d2535414a4d726679cc5f6e04785fd19d5b3756c0b4ec9945229cf5f8cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\918fb397-4a54-453f-bed9-e01b8e3ea58c

Filesize
10KB

MD5
60939bf7bb61532303bb8279187c4f9d

SHA1
31278aae2a33a872f8a4d4e2406f49a711ec1c26

SHA256
e2223760d9171b6f517c0ba658ffa63a4bcda6bb716c132cc5fc4f3f1454b552

SHA512
ac153a521132ed67f7146044df6c6c0a18395395ed70fc01ab1ede1321e860cfd7bd25f22975d8da09b700ae14361ea441aaf2c18ee84967d706d38b51c93d73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\ace88f5e-7838-4c59-924c-f415cef77412

Filesize
671B

MD5
7dc4c88d90453a9e7a619d591b82963f

SHA1
e861e88425f4744a8aff36be082df4f003d01d1e

SHA256
6e4f936023b37c6ddaa40a283539f14c83a5e85fba016da62f09998c33f6e6e3

SHA512
25ca9a5e9ae02745ec639a803eaa483ef224fdecd1b027dc278266b46b318bd66d196aad2e801403d9e1ebb788eda680aed20da41702690eb9421c90534e0b84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\c1ba6aa9-d3e9-4eca-9c2c-b3fd47c4df99

Filesize
982B

MD5
18d027bef1808362005e7758e630a2f5

SHA1
f09117de9242861d8756b06da3bbcf313d495189

SHA256
e7f4ee5708a201799141fa13c1e3eb3a831c9b3c364ebcb00f9088961b1b070d

SHA512
ef7aec88fd79e21d3d034975786b1ceafe81d5e69c3f2912a101b22bfbded63b730652d3139ddbc94597c15dc93426b10b787a2fb49139d036f4a6cb24fdf05d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
ef74e963bc3d6655fb6d992a7332188b

SHA1
a7c1318aed49ef050a17173c16740c746cac9928

SHA256
82aca2c9d6728144e622ddfad5bebe454948e5d7563f180a784ac9b71bcb8470

SHA512
0f19e2599754201f76da64c1e3482a06499e4df9ab4ad9d53550b63b900b32f1655e595e61fafda59e69a3f58fb08499df4cd33505bb9857ecb35e9e66617da8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
34caffb0b55072518a848796f3041d6b

SHA1
10c7dc41cdb497014e39a0e489dfd3d062dd8e97

SHA256
af161f4e5e13904e5959a04236fbabccd808af55c008ddaebb3a17b7bbd9e8fc

SHA512
0a56ed668a2310a4469a509938d7deeac555ad962fa808ec75d1909a57df3037d296bc9cac3d946a8938939fbdfd22f6285e4da44ac004c02dfbd011ef5de8e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
3889d57f9525240b07bc2f783d3b4e1a

SHA1
36846a2410178961e056b788d025e798ad2429a6

SHA256
6fdcee40e6c708f316e261c44e26562a0d27ee87742af8d640fee3dae4a6aeb9

SHA512
2b84a9d762dcf538c7eb3ad031a0bd90f571ea539df7db6bd7297b1af10ce28134510b80b81c4771706fa055c857842a40e7c66a9a727d1a600a197add0cdf81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
11KB

MD5
288fb70044a9492cddb88c3e3131364a

SHA1
2ddd05c644a964bdd52e4dda30e6c91a31657e11

SHA256
bbed9222cbfd23bb1b1a6f70deb2aa9e18ba0fbd59908f3df92b2ba9d3f0c706

SHA512
54d3c090275bc9f5f79dedf220861d4a5db9b999ed959bed0f097402913335a4e35e3ca57d7ef3e42cce6b8bde5386096b34c6e00ad21996d7bc3c4b3b7d2239

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
d24372eb75589b8225c65256177d1941

SHA1
03eff00780320bc033dfd605d3d638de4a00a06a

SHA256
9a2c17436606b24ef07d090bbb0ea5098146ae33d374cf0e35694cb7f2e6f7fe

SHA512
a26e62394bd1dbd5b6c041e0a2fefbc698e92456dde5b1dae24b665945ea71d4dae0b72b6a2ef506dd4cc10c9c0629fe37d1d71302b58b5a262b1343bb8a3f9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
fd8a26a50f3e7000910342288499a2d1

SHA1
9bdedc60089d041d47b744694c2cf1b05801d3d8

SHA256
a7c8749ac72e6d2c2850121300a2924f13a8b9ae661cd619180f177cd4954c2d

SHA512
3267d310e9e4b6d4d66df950c570746af7a96429a55ded02c93357960011915488f467bd294964576735e08e63cb08119f03b684a96ee3f6dcd4e5eb3b57597a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
f0bedbec7ca5305e1e8f9e5a46a0dba6

SHA1
0a2f9118ae607c45115a4bb17a4d0bc6c864ed7f

SHA256
e9303f4937a34335866c31bc26b8b747a01af630765442fae5887cf925bd1944

SHA512
bf910ecef36ed212d791af75887f9b034a8e01cca5a276cb90d07ce49f0ae6760c8c3c3fb4745bfe7098de68021c223fd1e158bbfe54727e54efddf532aac62b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
520d981c039299f26918cd4d594314ab

SHA1
1386ae14958f86e08f6ecfd7fa9f4a10640bd417

SHA256
2515bfad6505837fe122ebc7558aa96f97f43c8d84cfb250b2ae6e1a1eb97c16

SHA512
7c08555b893a76d68aef9be3fab52833c0641509ff60b2d13b96125a0a68869f862f85b3309b19eca89271f94d5aab465e70b7f3e7545403d17f8e3f33499765

Download Submit
C:\Users\Admin\Downloads\CoronaVirus(2).exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
memory/3348-5566-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3348-19438-0x000000000B590000-0x000000000B5C4000-memory.dmp

Filesize
208KB

Download
memory/3348-1312-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3348-1310-0x000000000B590000-0x000000000B5C4000-memory.dmp

Filesize
208KB

Download
memory/3348-1152-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41648-17531-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41648-25100-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41648-26854-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41660-17532-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41660-22703-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/41660-23289-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads