Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
899s -
max time network
900s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
13/01/2025, 14:57
General
-
Target
windows-malware
-
Size
239KB
-
MD5
77f8ac1a34b0242dd8dc6583e17257e4
-
SHA1
f5adfa1320b7844be18795168f049bd534730900
-
SHA256
6c835a46278657afe1b1f2f7b3a47922e5debf5ab249058fc2b8bbdf772eadd5
-
SHA512
f0eae5c1b75e046e01e743f1c6dd871281e8d8b52f60f9e1e5b2e6589723c82d6af44e347fc5196f3bb617d357be1f7d4cb1a96655848007745e41314d01a5a6
-
SSDEEP
6144:Q7NnOpOL/saqkPV9Fe2LtcIDSsmwN9BvZJT3CqbMrhryf65NRPaCieMjAkvCJv11:INnOpOL/saqkPV9Fe2LtcIDSsmwN9Bvo
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (524) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Drops startup file 9 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\windows-malware1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SearchPublish.mhtml1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff939ab46f8,0x7ff939ab4708,0x7ff939ab47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x204,0x270,0x7ff774125460,0x7ff774125470,0x7ff7741254803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4948 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6604 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,1512189766526377556,11205310321554725716,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5579c822ff7a026c9f0ed7052c234f6d4
SHA1042c01256c27dd31911fb6a2625a766f443ca3d2
SHA25641aaa1a4c2ca288b94bb3f7a7313ab6e0013ca6ec17295dbdd379f4af0ceedb9
SHA5120944ef57403a924f8dbdf4c47267997b6dd7cf07553af2b6668af8113baba72bdce7e8642f3cfd2f24ad14f59b99650d3a58b201f157130818457606011e4200
-
Filesize
152B
MD5b03d78ec6b6f6bfc8ce2f6e81cd88647
SHA1014cb7dc4aa1bc5d2cb4ec25ec58470baf5b6741
SHA256983928a84fcf0791614cc3d17d92d62ffbed0bf0f141d7544d0cc762977a3905
SHA5124699916bdfa5776d72ad2643fad072a7a19783900608290bd1246a19624d61b58a1d80eceb74215b7198aaf04c526fa8703d38f3c5fdcc1add19b87508685ce0
-
Filesize
152B
MD595ba0df0c4c417ae5a52c277e5f43b64
SHA17c3bf3447551678f742cc311cd4cf7b2a99ab3be
SHA256fdaa82c65558793b81117a66acd5645d4072f6b71f164ed2717a17cab6e727ea
SHA512fcb35a1949664f218ae40c25fd6eaefc4ba6417034a522f0800c50ee78e530c33080faa73ff9ea82f35749d404d6b9c94fc7e8e224689503e699a5ec2b0d5abb
-
Filesize
3KB
MD59d1c30a8d812ec89611caadf61de9fce
SHA14f744ca98d0f65749bb529eba571bbba22fc1072
SHA256382d9696ecff20ae4667e657136dd345db62e8f9257b42a324ece54b6a755490
SHA5121ad9667329a6b12f0b71a0b25aad41495523bc8dbd055bc5ce6b3612e1fad95a79dc5d17adbd4c296cccfbc351e4ed6254a17ac16640a3c0b618ce84701f1727
-
Filesize
48B
MD5a9ef6e6a3189e3f032315536ab4696b1
SHA1aaf8eff0b3d1c70de20f53ea00ed2260860f8382
SHA2569255cc679ce4299d9fad9a27f91fb7527b8d17f431205260f12c70d88505afc5
SHA51267c51c25a701217a2c2bc3d59acd839155bf507cb3b526183c695b0c16dcf4d475c6863b46d21ea235da039c798113a8af7e46ca90e8c32fd385f46c16b88fe9
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
788B
MD5ac2a5314322c55d3400f2cf779d592c3
SHA12ae703db0f73f0930157249d6de178af6104c974
SHA2567817fdaeb9f12acbc45d3a9425b2f48cfb800fe3c9fcc2164430beb281fecf6d
SHA512af3c882ef8f91561b1941b94edb0209350b3ac24536380b4e76865c560499acdf135b36dfaa2c2fe99068de41ee247e25f1e1803c4aaef30afd37f813ef55ad1
-
Filesize
871B
MD5562fcd67ed866753e97ce8060f2ed997
SHA17ca0fea2d621bad98a26beb21c2892bb6f13ff92
SHA2563fd90a8d195716669623f0d9e500c7999d86cc864045786e9694cd74c4466186
SHA5128d3c7adbddcc3babe49bf2e4b1553b28571ea60059e46d9ec3eebb30d800044c4d61f2a6b04a13ef88cc80ba77f9922a82e2840c5d6bb05aab03886f39213785
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
6KB
MD5a0bb19e5359135df34a8c5018f54e7cb
SHA1689ebfd35ae80befa3e9bb10635b144bcd81622f
SHA256cd076f577ff6886476aeff27309fcd09f56d801421bcbd1f4bef4f7fb15edb20
SHA51221f749a5a0a8960c64c2abe6c2910b23d848ad8cb477725f737d5bd58915ef2031d0419fd7e2763d998f3522b623cc93b50c1596c477b7d798e08f7de23dca06
-
Filesize
5KB
MD55b0437db81855cf00c7a28014420fa4d
SHA14f0693e2efd6d8b4c38f3dbcf5cbc8143302f413
SHA25650b2c38ebb22304edf86124f17a10eec0b626d398c70b5895fe58cfb53d8eba2
SHA51241a2d174bda0529950bae6899f3e873058cc22b1093121604c1352b7f218ea74e307c195146045d6eb1b83061c00da70c364f86f0dc8447777dc620dcd9fd6dc
-
Filesize
6KB
MD5cb095e22cb5a08bd9f94651961ac1241
SHA1a817aca03186054245fe547db0f35c01f60e37c3
SHA256e9ca1fc9bcec9b21f9b74bbdc37e88fbc1ba23347a260c69e245e671c5660d5f
SHA51290c7a472ef0d1f15d08747a2d6b3f245bd61332c62ea5edfb0710951d7e2c382e4162839259b7a722eb2a138128b1519f0ed28d08c235823482e5cd7e1bf8693
-
Filesize
6KB
MD548d96855ef93a4851376c07a52eb3289
SHA106bab58eabdbcab65338127fc37d160a34edb672
SHA256917b287586fb350a6a47ca9c3c20fdf3c5ef9a488a18b648c4071baed43c4a43
SHA51227932a0a8ea220aafd2911194975fb3992078dcac9e75755a9bfba15cced9db2951a4718b1ac1fcb00e6e898dd21ee21c542d4f0efd4668c6803d39d71caea89
-
Filesize
6KB
MD528b6dd549c3b3a73344b6421b85606a2
SHA10096b49c97b155e76b0f7704ba947c10be616bc2
SHA256b3573696e3201ff7eef8917657b48380d57f3b7e9f94f8762815131a73a64014
SHA5128216f4336e65b470d60a20f7cd87cbfeaa557c6be671ca8b24ca743378bddd896a435408d3804ac232be1c021f5126d3788e30cfdba5e5414d136635eff5f935
-
Filesize
4KB
MD5a2b20624ff1aec6ea0d67115d3ce7e90
SHA1358bd47207ee13a43820208093c02dabce15f106
SHA2560f4b6ac21b5df24973cd2d45413927e2a8c6e3cdec7bef628fef8719d6673c13
SHA5124c0b0005018ee35439790e473f4be2a66fdc54a4e68f8fa79b4c27ade339108b23fc8fc87eeee834d8367eb50cefa1235f77e6caec282aabf84974f148eb6ccc
-
Filesize
5KB
MD5fb9c561d50083d56456069b7e9893348
SHA1e0243551612f6561a85cc34674f195c81127243a
SHA256560ca613637c17ff4a10960544cae4c9d6e748c18e7ed2a5de37ad38ac73a774
SHA5124edbe1a8e5ec1ff797a044b5635331e0be5894b641c26bfca2b67522fb48d6252c95d6762428c932c72cd62cda01eb0249324305b36901ed507a7a1c4c823853
-
Filesize
24KB
MD50493f44576fd7d9b6216b7387a26543e
SHA147d35c7f2990ec4668ecf1c01e0e5f623153a3f3
SHA2560679b6900e2118e17164159f449fdc1f6bf20c0cc0b056cc9aedfae42a830ca8
SHA512a519962ffb281d471bcf63c0bf75bed19d4eeac591cf6bf8565af14dde1d57fe8cabfc05bec52b2087ce8c6f637dbefb438ce22054895dc116b31bffa18e9cd3
-
Filesize
24KB
MD51cc3bc2b1c52831cc0b972d856888e8c
SHA19ffa8cf55aa29f6cbdd5ec39b1b33938b29e9990
SHA256a8f894b23c518e04d94f1bb51343443de8121366171d2f05441283dbb1cfdd2c
SHA51285bd6789da57c911f9cc35929ab302829614a4f03b3de30e28ab16558279ed02200a7db802c9bcd6b2e5886ea3c323d6a39eb8c3ee309d8b5702be65dab7c3dd
-
Filesize
1KB
MD54b017522e5b571f2e8f203baa83d109b
SHA1ab354d86479f2e5cfb3059cf6b7eef744a0e8d19
SHA256c20c8044311807472694d2b59f92a87ba4ed08702f257b4908b729f61bf04f1e
SHA51278b182941b5f14dd88fc1c143383a79f5ab26af008dd0dd2a60e03f9609a90577a7b892ed58478b9322cc80d4242538cebb36b549d208bc33584e0071e5189c5
-
Filesize
1KB
MD52875ffa765ccf4e56258b6f72261a1bb
SHA1009f798845807a2228c3022f4ecf23d7e7cb6628
SHA256ccd43c4992a990a018f679f9f07784ee7576599697c856284e355bf19390e0a2
SHA51237e9e79ec03f6608441ad721ac0e91e621d3affc49a2e6725e27713fa970c9f518046b6c531f7835143301f771f853750a24ae26827fd8c449de4149634f6671
-
Filesize
1KB
MD5ed1e3ddaa9c04074e86689cbb41962cd
SHA117ada6487a8c70e187a979c737339d16cea74280
SHA2566cb4699619d19f0067e6172611869ecdc16349f405a9852fbc6688e5ee86afcd
SHA512b6b457a62fcb9ec368a194394f067fc4c61d55ef84d6c5b90ad77adf37cf77b20e7f1faf6668d2daab3f06962393625a109742ac01a49b2647b0533ea1e768f3
-
Filesize
1KB
MD5005ce6d9f9e147e17bdf3b92d5eeb5d9
SHA18819b89936b3902311edd91c32c814ac0017a8cd
SHA2560041d7c8b8e536d5377b2926dcbf04a4cce4e0f002d420bea63c28169d992ea5
SHA512be16687855ee40aec395809d79728c32f5295fc305dae2e76ed88fefc7f9567e6ae8eceaf13c96e0a40d4e0c73dabf8c79a2b864ddcd57fa5b6beb8ab3359591
-
Filesize
1KB
MD57a9139ff4fca0138ecdc9245fbcfca6b
SHA13e8f63017585a2ffd088b5f0119436e1fa074463
SHA256983e70e99261f6a9d2b240fa2516bc1430a6512d5c562db666e825b70bb09bd1
SHA512e000a2b0691d51d7f0860860af86ad569e205e503b3ca247f129709adf6c192305a6e71fc535c7710d7ab828c40a03dc4d374a5c01d7ac0c0126a21137f7f305
-
Filesize
1KB
MD506507e1e735dcdab6490af2250adffb9
SHA11495710f26a6b8766430938998a7d50610e8c161
SHA25641bb2205665cf1f5717bca414e84f12b406a43eca9526032f45ce92a19cb4b09
SHA512c2bbaaa2e0abf2914af8e711dabb73a2744b21a2b7849ff371bf27721dc9a93e34cb15f72b05c3dc77cb0674072e0d36c5e591ec186e2451d6b029e08c9994b1
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD505a0df76316bb9c159acab2a658ec44d
SHA17467df166651517fb983d162969ccae42b843bda
SHA2560f0dda9da5f97921dcb0d894c8d4d8efad788ece20fc1e9f6f468dffb3ab968b
SHA512728f7f4d8cd40cc52ecd6fcd2c7446ad3904ccd165af1960b94cab8c57985844d7be37fd467db0980e236b5a915f6ceb9e31234ac36ce54d4f5aeae2a52dbc00
-
Filesize
11KB
MD55fb3a0f02d359069740eac1b1788c331
SHA1a9bba57da532acb9a472fa4afeda9d077073df02
SHA25638aae88bf5328b133a9c22fb3212593f9d2b1e33d455706f3765d3a51de64666
SHA512abd0c8b7b08d8bd77c7972ec832d31d294ec660b5619679a3930abe9971b33f0711dd7d3af606aebc778581702c8275d12209abf72dd40c7b0a55470c7af3c99
-
Filesize
11KB
MD5700919bc6c8b81453f055c78fa3bd6b2
SHA18845e5bc09907e6df35f5b3880ce13dfae54acbf
SHA2566b517d8db62f360868bb956262ecef0dbd8b59f604a6d87106eaa7aaa41026a7
SHA512b81bab123623a516d4354d8965614a2fa197c766f311f7680f134dc48a1dc4d09950c45b1090615f3356bf3cfbd9c3c11363c51e7f65e39f1391ab88e6f57208
-
Filesize
11KB
MD530bcaa8d9866bc43b2e6154f1aa13bd4
SHA19c723404191646748fd9de85c66e4329849d0f24
SHA25692313481fe4dc0ea7c3646f4e81cc2733d6f9b7802d9c6691f3dbdcd699fb9f5
SHA512d1df90f56d9e4348a13fbd73d367d8c9956c473fccf59afb59f1394db65c3183f24000a34a40060a72a86bd9d711d45876d7148207e960aa19a93fce7f788cf4
-
Filesize
8KB
MD5528e960507509779ea851437a9e1149a
SHA1805049ed5b3e8b3057e94d227d61dca28f6d1569
SHA25669d2fe2a969b63c5d259604cb00941444d48a6b95be8f0eb57662f3c603f9531
SHA512768f80538bbcac11cba3e0671208410267b518fafd3c2f16c611892efc7e913faecbf2d2350f1c42de94ecad5c240baf36b063b1a69790c9627f3a1945a07fec
-
Filesize
3KB
MD5060c5ed240803f4a06e508faa5a55605
SHA1f93f3ccb0a74d495e1986f1390902243d9d755d7
SHA2560f7064f393fae9a732e4d03700f0a4dc86ad5551f86ebbb0bd789364eb9c142c
SHA512fda65d9cb5fd543eeb6c4152fa6ff03b6913f15d45474209fc19dacf4f14181937be8df83632c7c85afdb6c6f94e80d1e080464deeb531ece7bcc0e15a5ad9ef
-
Filesize
3KB
MD550eeb663b9c63cee1cdbae2518104bbb
SHA1c03b1b927cc1bfa034bce29b562c0566b088dde1
SHA25620c731c54659a0fb8922178a39a58fbf235ebefcbafad71266bd3528792a84da
SHA512b4ba87617fe6b8936345c2232d3c64795fb628e92034fde9f4a873021a21d1643e37ab09bf7066b95d2479cca7c2086bb8c18546ab81677d2a5184ab59919803
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB