dharma | 188698d10b1f7b9710061ec95e0aec55a0cb2239e622fa4f7fdd5d360d00a007

Resubmissions

13/01/2025, 20:22

250113-y51mqawqc1 7

13/01/2025, 19:33

250113-x9me8avmfs 10

Analysis

max time kernel
177s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 19:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Windows11InstallationAssistant.exe
Size

4.0MB
MD5

73c8041e8b532d9791ef3987f82d73c2
SHA1

0ad458c01db820fa808d41d38e282cf962806910
SHA256

188698d10b1f7b9710061ec95e0aec55a0cb2239e622fa4f7fdd5d360d00a007
SHA512

a5402ec7871867d579d1a9c8142ebce31c23153ec4395e746474e524531dd58781a0644cccd869333c044a41e61fef48e118f4ed46860bc8cb7b90fc60925304
SSDEEP

98304:HgqIctyETh4cCpI0kwJF4vY5SK63dzBEZht5f/LyXtcH/AU:Aqtyih9Cawjr/6NAjyXa

Score

10^/10

dharma bootkit microsoft credential_access defense_evasion discovery execution impact persistence phishing ransomware spyware stealer upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (132) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (529) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Windows11InstallationAssistant.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 13 IoCs

pid	Process
932	Windows10UpgraderApp.exe
4140	CoronaVirus.exe
8936	chrome.exe
10952	chrome.exe
10964	chrome.exe
10972	chrome.exe
10980	chrome.exe
10988	chrome.exe
11272	chrome.exe
11412	RedBoot.exe
11524	protect.exe
11552	assembler.exe
11632	overwrite.exe

Loads dropped DLL 10 IoCs

pid	Process
932	Windows10UpgraderApp.exe
8936	chrome.exe
8936	chrome.exe
8936	chrome.exe
10952	chrome.exe
10972	chrome.exe
10980	chrome.exe
10988	chrome.exe
10964	chrome.exe
11272	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
122	raw.githubusercontent.com
123	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/11412-27085-0x0000000000A30000-0x0000000000CBE000-memory.dmp	autoit_exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001db06-26869.dat	upx
behavioral1/memory/11412-26889-0x0000000000A30000-0x0000000000CBE000-memory.dmp	upx
behavioral1/memory/11412-27085-0x0000000000A30000-0x0000000000CBE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\omsautintlimm.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\BlogThumbnail.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-400.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board_dark.css	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\selector.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Contain.Tests.ps1	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jmc.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\ui-strings.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ru.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\logo.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\ui-strings.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ui-strings.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\plugin.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\AppStore_icon.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_LightTheme.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.id-6FE364E9.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4408	932	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	overwrite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows11InstallationAssistant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10UpgraderApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedBoot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assembler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
41080	vssadmin.exe
41376	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812704353109707"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe
4140	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4140	CoronaVirus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1756	Windows11InstallationAssistant.exe
Token: SeRestorePrivilege	1756	Windows11InstallationAssistant.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
932	Windows10UpgraderApp.exe
932	Windows10UpgraderApp.exe
932	Windows10UpgraderApp.exe
932	Windows10UpgraderApp.exe
932	Windows10UpgraderApp.exe
12512	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 932	1756	Windows11InstallationAssistant.exe	83
PID 1756 wrote to memory of 932	1756	Windows11InstallationAssistant.exe	83
PID 1756 wrote to memory of 932	1756	Windows11InstallationAssistant.exe	83
PID 2524 wrote to memory of 972	2524	chrome.exe	96
PID 2524 wrote to memory of 972	2524	chrome.exe	96
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 3172	2524	chrome.exe	97
PID 2524 wrote to memory of 1480	2524	chrome.exe	98
PID 2524 wrote to memory of 1480	2524	chrome.exe	98
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99
PID 2524 wrote to memory of 4664	2524	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe
"C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /SkipSelfUpdate /SunValley
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1704
    3⤵
    - Program crash
    PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 932 -ip 932
1⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0xfc,0x130,0x7ffc0c94cc40,0x7ffc0c94cc4c,0x7ffc0c94cc58
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1752,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5048
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff609e24698,0x7ff609e246a4,0x7ff609e246b0
    3⤵
    PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5300,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5304,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5188,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5452 /prefetch:2
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5476,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5112,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5516,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5656,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4356,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5764,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4416,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5124,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5044,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4700,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6212,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4476,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1932
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:4140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2124
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:20524
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:41080
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:40856
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:41156
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:41376
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:40948
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:40980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4664,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5540,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4060,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5648,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5640,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4596,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5900,i,13418034098733148765,4657684773283045525,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11272
- C:\Users\Admin\Downloads\RedBoot.exe
  "C:\Users\Admin\Downloads\RedBoot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:11412
- - C:\Users\Admin\67057809\protect.exe
    "C:\Users\Admin\67057809\protect.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:11524
- - C:\Users\Admin\67057809\assembler.exe
    "C:\Users\Admin\67057809\assembler.exe" -f bin "C:\Users\Admin\67057809\boot.asm" -o "C:\Users\Admin\67057809\boot.bin"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:11552
- - C:\Users\Admin\67057809\overwrite.exe
    "C:\Users\Admin\67057809\overwrite.exe" "C:\Users\Admin\67057809\boot.bin"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:11632

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2352

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExpandImport.M2V"
1⤵
PID:12264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:41312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:9540

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\37ea32b409a84d76a4d2cd32712df69a /t 40984 /p 40980
1⤵
PID:23660

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5c64a59ddef7476e9bcee41f791d4f01 /t 40952 /p 40948
1⤵
PID:10504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3972855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:12512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
45d00e80581a224f60ee62e5a0a9f253

SHA1
a1016580c15d3eaffce1dd548db1dd927f9f8422

SHA256
a3dcca311b836b0644a465ed48ef726217ef530ffdb296cedeb8069776281c01

SHA512
1c1365bbf018caae353f511ca2bb4fdd404c28d3de29141325e0b52751b040729ef2f21a7c845f4708e64d8a7946bcc649f0489a6b58bd8ac86253246a7d4e35

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll

Filesize
197KB

MD5
49b42f4e7c5f4b290aba92258fb81348

SHA1
41bbe19d3af1e62b9c85bee3b6232de4db1a3231

SHA256
9de477066c8ac228f050892e1ddc6e2ecbc8ead0d82e0f3be9c8e9caae8b581c

SHA512
18a7860eec7a2c1bf7c13fa7edb95f775614ecb19eccea5a3dd246093b83eca534da7083b85d51e174902e3dc1b13fb10d1bbcc68003f3a92d677e10b907304e

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-6FE364E9.[[email protected]].ncov

Filesize
2.7MB

MD5
8736cd80f4db7e7b9ef12f12662431cc

SHA1
b898c7eff428836fb41f06574f84e4ac94041c82

SHA256
5c251a3303c129531c452e8d7a9cc7a46eaae849da2c1b4daa3c3ba6174a75f4

SHA512
559b7e836339f00da4e1e461cef8fcef31ec12c9f06f5943fabe1f77836edbb4da9a604a4ad7c7b07d3792d1b5a697c8d06e285b4dbe3c96217ee059c8c42236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9567968b38ecc2085a4c6ba4499864ec

SHA1
2521847a194745fbc73bcafe100e1c983e56a8ad

SHA256
b50e805496b39aceb31e008580761b4e8a9f8870057f5523ff1417a503422605

SHA512
dcc841240a332997c886d4bbab161597eb2196decff1d5cd6dd490eada0d88169c3b60abe6b04b68cedaecc94bc9ffcda8c60509e7b4f4fdd0505b5738527f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
f2c19c92d680cbd4b28bd74c08a03328

SHA1
296a09512108cc7a927571f724a1c6b9f6e841b5

SHA256
4d07abae18b0d387a1f80169c3af79ea28e54650076d6b2b2daeccf155c88c55

SHA512
9ae1c2ade5c8833cc4116d4966bc87205419a6c1aae6ff7022b3bb4784e7048d5ef557cb342b5de00b046b5df8a92f42b11fae1fb71cb979b64f5f6280f65e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e0e6cf80de436433f29c4be7c8ade12b

SHA1
856b0bd699b7544965566fcd5e4b9fe8f16293f2

SHA256
56811ed0a1ada6f666238a625a55eff9bac067f1b890aea9e5a174a6178892db

SHA512
28b64048c7231a01eda5b7bd4d2f12123d3f6f0024f1c5dbf0f9f87271a0d14ea901d83471748a306b4b2af0d11ed640c96720c3345c62713d4d8af36139000a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
13412817cfae35f266b5b1b94edbe432

SHA1
e76c575daab49993c5e854c7e7234f7d06bbdc8b

SHA256
fb555eaf5e13629600f70470902680fcfe8485c2c98f96f7b9421462658ebcda

SHA512
7b69e0bb4f1cc49169f20c868db07d832f35f3822340499ad11762a3e3e03c16a5203cea7dc853ca9843f3b9860274b36ddb0358ed34e0c59314a2406e48db3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
abbdb51f883e44c8b60f6e8fe04a37f0

SHA1
75248fd9fcf9ef82753d89ef00014c2c11858a28

SHA256
f3d290dcfd29ca786eabaf99dcbc41da29470406bf9120fa3cab5d04104c05fe

SHA512
a3af08dae09f513e05cf12e6b105830f5038051b02584929e39486578de8984e52b096e4c61eb1fc49f50ddf78a2e008415e50007acfdd48df6f7b737fe5dc46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b8dfcb187523db7e0b6e6700a160aa94

SHA1
fe29263e252b01713b65abaa69978ba2c989e266

SHA256
ba932912a284fdfe19e4213d561609adea0b77b7e76a77fd70d6e79224fd8ebf

SHA512
e7c254b21fd8ebd76d642dec095c2ab63b3e7bdcb4e93ad2a5b614aa7f5b665e2cfb1b4f0c3a754f41707efd5f246913bbc2ab5be7e09343d065005936e65494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
327b547521fc797f03045a0b8f8e7d41

SHA1
8189b261ce77667b436baae3cc061d44b1c887e0

SHA256
a645029d25f7f594e6377311ae9cd3032e3f0633ffbfaab4a6b7539b8fc4f357

SHA512
1919e2b8fbd3f2a9c445eead7960367c6b8325690dbe8dcf254af5ee617c79c3058b78719729025fa917849c471c53c59dbd87cdf1b6beb67e6325dda23307f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7220093e9f24fbaf1fbf35a76502d311

SHA1
c3326ae845817b84967af9fb7698e0e1c99c469f

SHA256
798af8b10c57a8777cc45947138352c96b50201c30e4ff4990e496d56819310b

SHA512
822fd946056c19b03a974735e1308b32f3110a32cf3cababe2130e0d384007cf34a0dbfed05cb2996bee8126b398e808d8cedb01ab0153a55def2ee2c6c32e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8fc24941ccb86bcb95734ab9449b09ee

SHA1
0bc90dbca0fa6b1b6ec22af06f09878497137dec

SHA256
3789a22634757189dd0a19284203517ba9a100ae6bd281154eeb1440a002dc1b

SHA512
576087fbbea27afb3107cd2b5a99ff7d78eb8e494550140e3f9da24c4261ff02e99d9d94c31fdfc7d4a3af09381c3c4c6ae3b87a88c28950151d4f64c5554822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0b4b292fe7e81b8a6cfc323da82a0d26

SHA1
d09eb1acbdb62755f476917b8cd4e8d1bc5e724f

SHA256
611d2296fa579a38f2aa4e0f5501ded6bfbabd47f8f401dc482a1b28119a1656

SHA512
5adffec712524273b0e83ef8d7b81b9942d4961baddd56d1fdd5f6024f193ae5f8c88d780fff23a3f142ceb36c5dddc899e32ee8eb9a6fc303715665d3c8309b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7600dff362b4f9abf2291d7c5623aafc

SHA1
4d99b9dd311830a8b6d99af4f43d700578e2e3d8

SHA256
907ab5036d0d25a8d9d9f6d1c65a4e32fabb76b77faae4b5bbdccad1c43de7d4

SHA512
61f70fbe2020f40ccf20546738425776b8ee2f7eb7297e4b4712e653690547e17f68a03f3ee09719e14ca1018b588fa6972d3fec21b21b1f4b9534029f8dda9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8a95217cda7b6c1d8e565c52033f9936

SHA1
ef5bc5ec3ff22c769674bdf4f4303b9f700e2f1d

SHA256
dfca222e45d30daaceb3d50519e326cb0dc8c9541e103c3f6328049bad207299

SHA512
cdbb7d5ecbe340d1fe5a112dcea37fb3e93803715010139887c8ca3663f4fd73c40d584d937a8a0c759f804d03ef94f50a3c70ed294c2f55945b7a0deb1a3a63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cbecba8fb2a2aed86bc346bc669e5e32

SHA1
e071c8d606cf49f0ca06bb2051d2b972cf7983c0

SHA256
dba3a0b26971df135f21e9b0322bfe103c8288b9b33e68781313201a2864df76

SHA512
5d810799a8b2203436128a36d895c6f06b2a63026d3ee1e94ad21b8cdfdc4353bc69df3e6272f11ae9f96fe5d6b51918703ebd5bd920a6e3ff0d7e9a76068b1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3156eae6507f822eb06c8dd8cbef8aa2

SHA1
c66b43a85a95c0674b0cd7561b30624609ad2937

SHA256
64de7de6489a8a3461c898412de87935d2d4a995feabfbbf5ddfc0c82325e254

SHA512
a9e91e47d128daa41ad31e9d8cb9fcb44b37eec3489e692320c825cd9b4ede50ae3d1ec067f71f9b5c53d7f48f476fca164db0ca8edcc631fd213b69369d4757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c3e3f770abdde3d58f3e49f74a783532

SHA1
4fc2f03bd055b45f3b5b5142a8e6c6c904d96eed

SHA256
0fd51c046d2cacc390c826567c36482c351f78677e432ed8cec201c105411d8d

SHA512
5478425b267b875611b013b9b604d5ef0080e81c19359447cd3b4bfa8b295b383e8e50292f4d190e1c732f18fb116aa236d6649242bd654b27799fa70c68393a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1f1b622e0de35f6556641fe74e16fc04

SHA1
45d197fda57b63482b8e3a01e73c90eb04197d9f

SHA256
5cfe42041b24cd6ffac9fbd4cf5da326669aebd7832733d6fd948970ba3617c2

SHA512
a02b519a1a25bff83727c526fb70dac1e1c45ddbe7e938e38e072f55be5cd2cfd9aacea3a0fbe60a21dce38fd87e109ea4c1ba76c508338fa01a4785e5b7fba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
414b21cb8c4775b27c7556b93d9bdfbb

SHA1
0cb33b8a687cf780f8be735be7992366cbae5421

SHA256
0d7a0062e562979285db549b83c19cbad31618c2849cbe5ffc03ec66c844ef46

SHA512
7621b938cdb64feb132e005052c4c6bbdbfb1458c588706d15f038202cc7b95aaca84976a426d062df45c502237f12f38c3de0540415f09ce226045361a04343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0ac45edb3c29d12bc0c2a18e92ca6869

SHA1
80715861e0ae6c1e648d948bedbc75bc67f5a7d9

SHA256
be137cecb29783dc305826a898b4a19aea70bedc8f4d667e9933d1cb6b5c1d97

SHA512
a709fc3b14bfb9c7dfa5fef95add29872755fbf6ab35714e1e016c1b6d4f88173f18cae799257b520525a72a129e38800daeabe05d89468ee81144c9c27146c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5ed343de451c85c7658fc07278bf6d34

SHA1
09d578982a15e0ff3229a7e2d9936fc9e9467a42

SHA256
b86600e56f1cfd3dcf971fb94bbc5695b059a8e05710b1779ccbbb57b8a15858

SHA512
59f630cbaea1d89601b3ad656b530dd80a7823394b87d2ceae089e27e997e23343d53352842d197a6f32f5051ac7bdf2f9624d5c618879c04cf219df97a16faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5990cc.TMP

Filesize
11KB

MD5
c0d73279fe026fb1002e5668846effa9

SHA1
343910ef65996c5a5ae8f67f452c63dad78c4929

SHA256
b54c03cbc5d4167f93c3a41fb34c1e67f00c0d40596dbd67f408e24deaac2bf9

SHA512
8fddcb0f74298c39b0911212c57b45705db0739521845c970305e0510b925364f85f6d37707682eb23760e23283662da46f72acbbe085143bf442ca4668f2551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ac5e8f55019726b675add0b6370c0d8d

SHA1
15a7a8245d0a51154bf50e45286a21e76e968dcc

SHA256
58f49fe3746b6e29f681d1fa55673e50fc9ba811e35eb2d485aa9fc4570e1425

SHA512
9f0f95d0a5ab39fe86cd51de6a5536a1d7020e8aefc7880c240388c3cdfedffef0d67296412b79af40543e42b4bc75174ceddb5966d929ba5763cd5ba9bde580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
858cccdfdd1baac2aee510995ce424df

SHA1
d07232ceab72ff97ab0a1f6f414d1fb04baa6368

SHA256
1509f71fd018423563226efd66f91aa8c91f226549ff7814c317a6452054754f

SHA512
905767c1401ea80b1feadb60e4d1f91e4650c4f6f005c53e0a988718cebcca0674c5759396ae8715783d1d6b95485abf63ad3b0204a0ed27686b8510beba089b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
d40f532973d5c032e723eff94bc414c0

SHA1
3049e147db05964e90fd1a1095d9713df1f6bf8f

SHA256
40287eabd6e667c6a4e222ba44c0ad929daa1426a1c6e34953aed03c36c18679

SHA512
a136ab60712ed7b596e42432ec8d2c08e1ecb9f010512f429392a2ca1d53e03776b07eb42091ddc17c69f33a4ae56871b368d2cbfbcbc30feaa34d99a289c262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
a91ea77554188ecf0e8327306121b87a

SHA1
06c27f684880b15bd22e925040cf12f3a119634a

SHA256
1e3b9fd4440b42bba6b7be2c2d90124fea2e5984cbf0c078154b40a6c6ac1a4d

SHA512
b8ef4ada9e959c5cb39be3be5bd29cd8c8101b68456642e51a98586d97d4c80af1f1f39f64645a6a4802f058dbcf0ec8e04944e1cb4d728d25c4076d0fdbe034

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA604.tmp\appraiserxp.dll

Filesize
364KB

MD5
9d4f6fc6fd8dbe8e7b498651e0af16c7

SHA1
29cb40c374a35220b72bfa3ea9ed4ffa1b76efc3

SHA256
2acab73e737e9eafa7c74ca3c9b0762a9386016be7cc1ce0c090b00b793a7157

SHA512
7db4d7e0d4ca4c6cc2e2d1bb21915cc240656e94547bb3c3363bc068c0ce490f9e0916bb8745762053e05f1f7e8752a8cb1d83916a71e3a098333b32ede504fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA604.tmp\resources\ux\EULA\EULA_en-gb.htm

Filesize
68KB

MD5
05627bc6899f8853de9a63f304d1937a

SHA1
11ccb451025a9b3d1f58b44b730521a7652fdb74

SHA256
49aa5fe536281681d0bf933c59622910753c0ee4eb26d96f548cf4b2d752129f

SHA512
2a0c6569b1dbf7a6754cb870325eefc028f69a758ca44c78da9ac77b03f60feba862e1bdd230ab6b78efb64e0da056917a50b18dd9adadd7e79f1fbb164eef9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA604.tmp\resources\ux\EULA\EULA_es-es.htm

Filesize
78KB

MD5
75c32dd12eb6a303f16b4561aa4a3720

SHA1
628b9c1504abc72296821575f769a14d4635841f

SHA256
2cd165a4c0828c814c27b1ce07c3e4d8f254cda4eb2e91cf87b242c53002f312

SHA512
b6759d223f0bef67f36ca74bd519e3f2cbf8dbb97ff218fb2f236cf41facaa08cdd6e8949adb4e22c75a00dd19e048c7d2fb68ef3d9d7f790ab7b49ba44b42f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA604.tmp\resources\ux\EULA\EULA_fr-ca.htm

Filesize
82KB

MD5
b0bbf69d2d7a34f86e0acea9bd678ea7

SHA1
c0343796308bdfe623eb1f0caf99538eb58b76fb

SHA256
531ae3e6ae92c7d173415fb7a3a95fdf61fb3e3fcb703a4606c9590225f03aca

SHA512
7bc0b314cf4eb625aa56e6134f1cd544ce1f38b84c7a478ba2f34a484ab41328f820a1601a8d0f5ee602a59ace1e496f69c2820ce472b8d57a5dfa5fc8be69be

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA604.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2524_1188392936\0835e356-4214-464d-9f48-294de253f9d3.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2524_1188392936\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\RedBoot.exe

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\Music\ClearNew.xhtml.id-6FE364E9.[[email protected]].ncov.locked

Filesize
2.5MB

MD5
48a2064e8e08cc0fdcdcb95d6b292d66

SHA1
a5a623ab3dfc406e3f60257bad1ab6372242d88a

SHA256
a987c8cf650b9e98835ec72938e4837a3b1cacd4e13b44b73e537d52810b33cf

SHA512
65cc76128d03db99a1285c111a52f385bab94d5520ab5c81726ef21523e59778c85919d562c9936a5901bc05f6fbdae1045dd85974215264f442285334fdf5a5

Download Submit
memory/4140-6473-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4140-1238-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4140-1218-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/11412-27085-0x0000000000A30000-0x0000000000CBE000-memory.dmp

Filesize
2.6MB

Download
memory/11412-26889-0x0000000000A30000-0x0000000000CBE000-memory.dmp

Filesize
2.6MB

Download
memory/12264-21533-0x00007FFC1D090000-0x00007FFC1D0BB000-memory.dmp

Filesize
172KB

Download
memory/12264-22742-0x00007FFC1C680000-0x00007FFC1C718000-memory.dmp

Filesize
608KB

Download
memory/12264-22740-0x00007FFC1CC70000-0x00007FFC1CC81000-memory.dmp

Filesize
68KB

Download
memory/12264-22739-0x00007FFC1CC90000-0x00007FFC1CCA1000-memory.dmp

Filesize
68KB

Download
memory/12264-22738-0x00007FFC1CD40000-0x00007FFC1CD5A000-memory.dmp

Filesize
104KB

Download
memory/12264-22485-0x00007FFC1CCB0000-0x00007FFC1CCDD000-memory.dmp

Filesize
180KB

Download
memory/12264-22292-0x00007FFC1CD60000-0x00007FFC1CD86000-memory.dmp

Filesize
152KB

Download
memory/12264-22291-0x00007FFC1CD90000-0x00007FFC1CDA8000-memory.dmp

Filesize
96KB

Download
memory/12264-22272-0x00007FFC1CF30000-0x00007FFC1CF5F000-memory.dmp

Filesize
188KB

Download
memory/12264-22263-0x00007FFC1CDB0000-0x00007FFC1CDF1000-memory.dmp

Filesize
260KB

Download
memory/12264-22216-0x00007FFC07AC0000-0x00007FFC07BA3000-memory.dmp

Filesize
908KB

Download
memory/12264-22195-0x00007FFC0D9B0000-0x00007FFC0DA98000-memory.dmp

Filesize
928KB

Download
memory/12264-22134-0x00007FFC07BB0000-0x00007FFC07E46000-memory.dmp

Filesize
2.6MB

Download
memory/12264-22027-0x00007FFC1C720000-0x00007FFC1C7F2000-memory.dmp

Filesize
840KB

Download
memory/12264-22026-0x00007FFC227C0000-0x00007FFC227D1000-memory.dmp

Filesize
68KB

Download
memory/12264-22025-0x00007FFC22900000-0x00007FFC22914000-memory.dmp

Filesize
80KB

Download
memory/12264-21534-0x00007FFC07E50000-0x00007FFC081E0000-memory.dmp

Filesize
3.6MB

Download
memory/12264-21532-0x00007FFC1D300000-0x00007FFC1D322000-memory.dmp

Filesize
136KB

Download
memory/12264-21531-0x00007FFC24440000-0x00007FFC24459000-memory.dmp

Filesize
100KB

Download
memory/12264-21530-0x00007FFC25460000-0x00007FFC25471000-memory.dmp

Filesize
68KB

Download
memory/12264-21529-0x00007FFC0DAA0000-0x00007FFC0DD56000-memory.dmp

Filesize
2.7MB

Download
memory/12264-21528-0x00007FFC21A30000-0x00007FFC21A64000-memory.dmp

Filesize
208KB

Download
memory/12264-20937-0x00007FF619CC0000-0x00007FF619DB8000-memory.dmp

Filesize
992KB

Download
memory/12264-26550-0x00007FFC0DAA0000-0x00007FFC0DD56000-memory.dmp

Filesize
2.7MB

Download
memory/12264-22743-0x00007FFC0D960000-0x00007FFC0D9AF000-memory.dmp

Filesize
316KB

Download
memory/12264-22744-0x00007FFC1CA50000-0x00007FFC1CA75000-memory.dmp

Filesize
148KB

Download
memory/12264-22745-0x00007FFC07800000-0x00007FFC078AB000-memory.dmp

Filesize
684KB

Download
memory/12264-22746-0x00007FFC1C660000-0x00007FFC1C67B000-memory.dmp

Filesize
108KB

Download
memory/12264-22747-0x00007FFC1C640000-0x00007FFC1C652000-memory.dmp

Filesize
72KB

Download
memory/12264-22748-0x00007FFC16F10000-0x00007FFC16F21000-memory.dmp

Filesize
68KB

Download
memory/12264-22749-0x00007FFC07720000-0x00007FFC077FF000-memory.dmp

Filesize
892KB

Download
memory/12264-22750-0x00007FFC13840000-0x00007FFC13851000-memory.dmp

Filesize
68KB

Download
memory/12264-22751-0x00007FFC0E3B0000-0x00007FFC0E3C7000-memory.dmp

Filesize
92KB

Download
memory/12264-22741-0x00007FFC078B0000-0x00007FFC07ABB000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads