dharma | 9de052d7b835e0b896644c23c696c5d31c78b6d5f5366ab46b9b368f18106e0c

Resubmissions

04/01/2025, 22:11

250104-13x5xssjap 6

04/01/2025, 22:06

250104-11dcqs1raj 10

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/01/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.bat
Size

2KB
MD5

a8883d531fc8b94f0ce002b1bc607d1d
SHA1

7f52ffa1e9fab82955dfe3cbb04714b85a4990ac
SHA256

cc5480ea61441b4112dfbbb04402e91b0abb7d64ca4461b5c8a46b063bb33e9e
SHA512

789d3a4161d1ea4d72dd2c9c56fb8b135bc5d613c69e328aeef0c4e1fdd9191dc89f2d819d925e7878baef282120a3c481cffc762ba923a925eeea21da0a62f6

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (566) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
1524	CoronaVirus.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 3 IoCs

pid	Process
1524	CoronaVirus.exe
35112	CoronaVirus.exe
14776	msedge.exe

Loads dropped DLL 1 IoCs

pid	Process
14776	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
46	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2020.812.2125.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmcachemgr_xl.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\mergeStyleSets.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\StandardShader.io.hlsl	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Illustrations\icon1.scale-200_theme-dark.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.resources.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\devtools\ja.pak.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSplashScreen.scale-250.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\react-dom\umd\react-dom.production.min.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\ui-strings.js.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_MedTile.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-30_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PaintLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.id-9CC4559F.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll	CoronaVirus.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	lua.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
16640	vssadmin.exe
2804	vssadmin.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 470290.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4008	schtasks.exe
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
1004	msedge.exe
1004	msedge.exe
1392	msedge.exe
1392	msedge.exe
1672	identity_helper.exe
1672	identity_helper.exe
3516	msedge.exe
3516	msedge.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe
1524	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5540	vssvc.exe
Token: SeRestorePrivilege	5540	vssvc.exe
Token: SeAuditPrivilege	5540	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3548	2404	cmd.exe	78
PID 2404 wrote to memory of 3548	2404	cmd.exe	78
PID 2404 wrote to memory of 3548	2404	cmd.exe	78
PID 1004 wrote to memory of 1416	1004	msedge.exe	83
PID 1004 wrote to memory of 1416	1004	msedge.exe	83
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2792	1004	msedge.exe	84
PID 1004 wrote to memory of 2840	1004	msedge.exe	85
PID 1004 wrote to memory of 2840	1004	msedge.exe	85
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86
PID 1004 wrote to memory of 1780	1004	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\lua.exe
  lua.exe config.txt
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:08 /f /tn WindowsDefenderScheduledScan_ODA3 /tr ""C:\Users\Admin\AppData\Local\ODA3\ODA3.exe" "C:\Users\Admin\AppData\Local\ODA3\config.txt""
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc daily /st 11:08 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9dd23cb8,0x7ffa9dd23cc8,0x7ffa9dd23cd8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4904
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:20520
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:16640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4264
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:14252
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2804
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:5984
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6284
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:35112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,16475794435314167266,6106348292383793975,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6788 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004D4
1⤵
PID:4720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-9CC4559F.[[email protected]].ncov

Filesize
2.7MB

MD5
fd7032407c3e45bc6ab9daaff0360a90

SHA1
475df94af45f2ffdc4225507d521213810ed8021

SHA256
fd5621da6d8be7d9d1c9f559206ac611ec7df965c23268089de22e05fa1fd38c

SHA512
7aa590d3a8fad5490ce7319dbae5906627a49a778210393192a83c27eb0e586d1e87c658439721dc36d88b212b048a6d439d54e29bd183f06c50cdb2ae0162d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
a7dbbaae3cb21c234b38c2dcc6887d61

SHA1
94700e4cbc6c3f07ad8cf7a135a036a5ab21a443

SHA256
528ae8ee7768c9b0feed6817fa517eac5b6c7256c0199b5dcf731ca3f94c5e41

SHA512
dda7c33bffb088f3bcdef19851cc50b0d01f977167ea94a7f9d6c3a1450cdddf0d1ff29f2601a6c65f452d10053cf62e94e7f91c97bf37485ebf3fe933212d02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a43e8a19914cdb293d6f013a0990474b

SHA1
f3f005598af497e57978415b8ab14f808cc9c124

SHA256
1dc465a6857f392837c461a46e2dc4fd46bc740b29debe36e3a9d48da16ed6da

SHA512
90446cb532bf51b9edfbe17987b6568424ea48fccc43cc64609088313edccaf047c712fc9cbc66033bc3d4e7b85d7ccf518e56084a82bc942b244ae84ccc8631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
992bd6b1e48f7b16e410c600fddea1d2

SHA1
e76ea80ac47aa1aefe098e4c72bd87bb3c0805a3

SHA256
c9cf72c8db93aabf9b09b1cd577ab5e17dff1ef5db565761e5dc576e95f75102

SHA512
7f2fc24f59de5f497022d8ccbfcf2578e707919c5ace6d451d68d8504f15258ca708e68a876b5269c3980c862b57667f5e9465335dffa924550cfc893d3e4beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
862B

MD5
6f90dca39b24cac9ca1f84225daab329

SHA1
6038a9c0b0a7d9097d7824de2d7d92593dd2e34a

SHA256
40f8fe5353e4cf91dd4c20e0426667e83ae1d42c75adcb0a60829223610c232c

SHA512
63348b44862c74447431e01626bb232ad9545c6fb74446d7040d0d5068a98fe3881a4ce047f29489b6023e4facf8d444cb36e4ccf044f51d3ce2f9d3757788c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5ba22bb2cb165a7ad8fc0c516c25f09

SHA1
1fb94548fc18862318103358f3246795fee9a56c

SHA256
f509c5c867437fa33793811fc567ba5d7a34085183e0ac7e1fc9f5b07352f993

SHA512
8b74547ff7bd850ed6bd8974beda7d87b9c0f73dde6eb29f05de5905979bd32d791684d2889a856be7b6ff935dec73e792321a8c94381dd32f4314331e783011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28297cdcebf10c3576681e37e2f46532

SHA1
318206f6a9856ce0df204a0130f04329343c91b4

SHA256
251da3055b224d9afd2b4876936da9a77e805cc0581e91487cd1cbcf9c9bc546

SHA512
58efb04f2f05cf7eedf54bd4b9788a891418d9b24c192b50934accac8a888b57c2654161a0fa9922da4da6a94704b087dc1a5e11bb4e26e1ef9d38e1f80ef244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8efa98a774463fa45354a8b3eab4bc60

SHA1
d2986e9250f5b21ac11e71a37729468341085421

SHA256
489b69bcccd0528cf05ebd48b56cf4a054fb28da3ff4f110f40e49b0f407d493

SHA512
80bfa735a5b7ec76c8672430671340319966a26ad8b6ac374f9f6bd7271be2071b661ec73c6b1ef4bfed2efab12ee6749d7cd3952ba52c25b2b4da15664686c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
760c41e12ce776dd5d491433b3c5276f

SHA1
c067201ac7adea277437703802bacc24b2a75e30

SHA256
6ec77c719345ba6526d92851217f955c12c27f566ea939c6db1178dcca60b0b2

SHA512
90bff697bce7704bda6d43a06abaf74a12407c5e92ade1cfdc5819b45bbb889c3ce4be908194d8a9fe15de0600cd6b80215ca057c97970ac3d175e23a0bd6e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1d24134b05f1489ad0e66e20fa0d1ed

SHA1
2bf022e83af376bb19fc66f1732e653b01cc2e63

SHA256
5452fb2214041c0324838212fcb51ce12d08db82f241dd5348628f7ad737dd41

SHA512
380f19e33be4edd352a5a5d541b2584b772434c38611ac96b73bf65865e80559575829e3f66765e80ad0c4101dda3191a095c67f013323636cf8264fc2f90981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcd7475c0bf4fbdb1d95e889dca02575

SHA1
78a833bcec993ad0237808f6952ea43438c05df2

SHA256
2447c92d41f76822c949078fd9c095fe81faaa9d60725778d2d2cd360b2f3527

SHA512
eb9f42b47f194211d6bf7205e4a5008f582e6c3daf775dc7b8944289f0caea41556521ac1978378b0917755dc95c374207837b9abd4eb45e9a35bf6d33435dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
14bc1f5c495f6a32a7e975a70a2c5ff8

SHA1
89d97850fac6419053a65f7412dde940bd49d7a1

SHA256
23978a4c903fab0236847ebaa85840b06206332568656fb240ee6880652220ba

SHA512
19f3d7b06e13bdb1d65ad9fd91b76c1f3bd13de1c92de8b4b189ec36e83811452c33432396b2c383f93e9746e73a2360cf1f0c1891d496cf23e3522cd21112de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2fe0c51e40958f9d3ca1f9b22f05456d

SHA1
a4de617b7a9f30c4397c28030ec99ce90425cac1

SHA256
35ede04901e9165685a3465a7e068e448c40e437b5c44e4e805d2c888a0e9ded

SHA512
9c8fe8aedbddc3a16b72bb7ce138da6b83a2f6964d4d9a6df1f46d6c30996c33a3ef620faab2781285631294bc3ee79760a0a9537872b2ba467bf370348ad7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f00a2310a5c6c239435ab5468c89578e

SHA1
2f0ff323cca3276612d3e6716799a5d6ed13e9ac

SHA256
3c099106265815f429e648345ab964f68feb07acb0c6f11fe80fbd028e82c457

SHA512
20a7bc113a3e260d07cfe2fcb37659b5e7b0da2d0119077212e0ca0338bf54b9ae0debbc4cbc8cea51f9bcc916b9dd33c487e8d07cdb2e926b393b150c4d74a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582b32.TMP

Filesize
538B

MD5
a3fe55cbb1bcc64ca291f1a907184cbd

SHA1
00ca999df7d82de688fd1ca51beb8e1451a74d30

SHA256
6e08e2e01280d56a0f6652e88cc1aa13f874ff614073d6767da1bb69c8bbc1a4

SHA512
1a363edb3f5a82c7170294d7847bb939f79c27fdb6128950b67b82f0255ad63a681440ca61712db6707bdf10f8da8900dd430ccd8d2062d76665bfb416e1304a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5bf00544aa9e2067dae257aaaaf9b271

SHA1
2f4062c55441aca8b5e1ed5cc1dfe3ad013e161d

SHA256
85d9154087ce8fd7b01b76a46f6d8a747d479117b9ba80fb5783d6b267032e77

SHA512
0be0c267c156967ba58a64f07fbf9c460143914c5ad7e06145fe84f83f495e8de8b0e4bcc6fbff99ddca25c61efea02e27b651b70b7bf8ec91c926de6de714d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
91b792896cdd4207e73e7576c2d76e53

SHA1
c3f4ac2d1223621294a09b4d64bea3fc6b5f71b8

SHA256
febc9d4faca8010b75f99152f398867e7641c80c9d21dc6c26e81f9e83b4cac7

SHA512
a49bd98cd2c8f9b54ff0f3caa122d0dcee307be50a5c425330f9f1ff7ea9fec15271c7508de7e414fdc0f5fa409ad42b247bbbf2a514f24de4ebde073fc83296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
be62687a31478af3457f1599c3187df1

SHA1
1d12744af53a600eb744369415c45e11fc8d1230

SHA256
98c4abee53d5e3eb900305cd9c22365712c197782102619d4a74a92cee4b40fb

SHA512
b239a71941fe8e709353b0415e8ae616869d259a37faa247970afc864c6ced73fc8ecf71ef95f1e8172130fa2c81ba5069f7c35e22731aa7416b803bde9d9d44

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 470290.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/1524-725-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-36-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-80-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3548-25-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-24-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-23-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-22-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-21-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-20-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-19-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-18-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-17-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-16-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-15-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-14-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-13-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-12-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-11-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-10-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-9-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-8-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-7-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-6-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-4-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-3-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-2-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-51-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-50-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-47-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-44-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-30-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-29-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-5-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-1-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-0-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-76-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3548-26-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-27-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-28-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-31-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-32-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-164-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3548-33-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-34-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-35-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-37-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-38-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-39-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-40-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-42-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-43-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-45-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-46-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-48-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-49-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-52-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-53-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-54-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-55-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-56-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-57-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-58-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-59-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-60-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-61-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-74-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3548-75-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3548-62-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-41-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/3548-63-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/35112-17515-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/35112-24170-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download