dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Analysis

max time kernel
214s
max time network
216s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2025, 02:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Score

10^/10

dharma infinitylock bootkit credential_access defense_evasion discovery execution impact persistence ransomware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock
Infinitylock family
infinitylock
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 4 IoCs

flow	pid	Process
23	248	chrome.exe
23	248	chrome.exe
23	248	chrome.exe
23	248	chrome.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe

Executes dropped EXE 14 IoCs

pid	Process
13364	chrome.exe
6460	chrome.exe
6484	chrome.exe
6516	chrome.exe
6532	chrome.exe
7104	chrome.exe
8168	chrome.exe
8676	chrome.exe
8696	chrome.exe
9096	chrome.exe
26792	chrome.exe
26820	chrome.exe
23436	chrome.exe
21052	sys3.exe

Loads dropped DLL 15 IoCs

pid	Process
13364	chrome.exe
6460	chrome.exe
6484	chrome.exe
6516	chrome.exe
6532	chrome.exe
7104	chrome.exe
8168	chrome.exe
8168	chrome.exe
8168	chrome.exe
8676	chrome.exe
8696	chrome.exe
9096	chrome.exe
26820	chrome.exe
26792	chrome.exe
23436	chrome.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
7	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_100_percent.pak.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Modal.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoDev.png.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Cryptomining	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubStoreLogo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Dev.msix.DATA.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\IVirtualElement.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\devtools\de.pak	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\PSGet.Resource.psd1.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39	InfinityCrypt.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\MLModels\nexturl.ort	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v8.1.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mspdf.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-16.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.id-DA3E452B.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchSmallTile.scale-100.png	CoronaVirus.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfinityCrypt.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
7528	vssadmin.exe
6152	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844911868234210"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA	PowerPoint.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe
1072	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
21260	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 1528	3160	chrome.exe	81
PID 3160 wrote to memory of 1528	3160	chrome.exe	81
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 828	3160	chrome.exe	82
PID 3160 wrote to memory of 248	3160	chrome.exe	83
PID 3160 wrote to memory of 248	3160	chrome.exe	83
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84
PID 3160 wrote to memory of 2056	3160	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae58fcc40,0x7ffae58fcc4c,0x7ffae58fcc58
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5288,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:13364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4908,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4784,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4112,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5508,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=996,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:7104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5228,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5320,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5452,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5840,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:9096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5644,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:26792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:26820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5924,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:23436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2352

C:\Users\Admin\Desktop\CoronaVirus.exe
"C:\Users\Admin\Desktop\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1072
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4524
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:19292
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:7528
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5636
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:5944
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:6152
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5932
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5976

C:\Users\Admin\Desktop\CoronaVirus.exe
"C:\Users\Admin\Desktop\CoronaVirus.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:7564

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9bff1132454046cf8cae5cb05f367f23 /t 5936 /p 5932
1⤵
PID:8040

C:\Users\Admin\Desktop\Krotten.exe
"C:\Users\Admin\Desktop\Krotten.exe"
1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:8484

C:\Users\Admin\Desktop\InfinityCrypt.exe
"C:\Users\Admin\Desktop\InfinityCrypt.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:9792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:17844

C:\Users\Admin\Desktop\InfinityCrypt.exe
"C:\Users\Admin\Desktop\InfinityCrypt.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:19100

C:\Users\Admin\Desktop\PowerPoint.exe
"C:\Users\Admin\Desktop\PowerPoint.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:26972
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:21052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:21260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

Filesize
16B

MD5
29e5a84d566228c1bd69bc09103f196b

SHA1
14377aa9255d7de710366ffedf2ad8422ddb16ab

SHA256
e8ac0d2c48234effb3802dcdd1b7624a9279f1dac3319487047e7250076d1173

SHA512
f48aba1611eca3d72d1229015f46238dfaac1a71787b1ad4dcbad1c048af8861d646fc13c824b76de04b049ba1720bc82f1cea5b3e956c7a3a40d7f5337e906b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

Filesize
6.4MB

MD5
4f4deb2c6d655eab59e42a0651a73949

SHA1
b25219344ac7a79b614187b6c6066671b63e7d94

SHA256
332a68697ba39b377777582a87c5a1da265d14d3acf360e7e49244b1377cf79a

SHA512
5aa7f31603a6a58f64a0ddea68ba8ae7e54a78f7fbd70312dd46548e3f315ea4be146a4f6592c22c95fbceac92e6929eec1aa8b578c04d1e2b37cc42da69f99d

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dxcompiler.dll.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

Filesize
21.0MB

MD5
72fb2f9a24dad391162e49b44e4f51d3

SHA1
49a99cec833bc49eb6ed745d1b4036b00480fb14

SHA256
250cfeb6bab06e7da476ddc8e36fd5c573a5c4dcefe9d033edf7a36dfe0389ff

SHA512
33f25342d34cc931d4289c3445c7262793c38400a7102d37b22f20cd00b9baa8ac2ab4197e95a58f383b2ca2211e6b1ed6d96797744f454b77183ca670de559f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\delegatedWebFeatures.sccd.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

Filesize
16B

MD5
cef56a33910e46e440fb4b9bc7fac983

SHA1
7179e33f75d07b965707b3e77df275dcdcc5b366

SHA256
83dc7514840464b081fec5147cdb0e3e93fff1b1dd3d3e9996489ca13a9f2ec6

SHA512
e0d83aa10a52de372b17b2af474b9e3f7c936f42ffe78b47c41777afb25ed22ce6d8fce397bb83ce051e55217f94093822043658c770bf5132480641ba924579

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-DA3E452B.[[email protected]].ncov

Filesize
3.2MB

MD5
43cbedb883ee8102c53b12e2f71eb769

SHA1
c6d7e0189d49f4b423a78eb9b4beabfb96e827e1

SHA256
8f36f62e27308382c6a77da0f2deb958d2df7432a96385cc6ebaf67801021ede

SHA512
ec8b777c6e024e8965433db66f0c40e464a4740a8235264f7f65976679345c484d6196f4245045fe25a8065ff5a67aba81287a0294cb4eaf0781b366c02426c5

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dd8c6791145bd7604234509b17861ee0

SHA1
f2cd9823e242ee802f04146df932ea7551f025dd

SHA256
d4101284755893e22026a971a80fd9595afb9436af7cc9ee7fb7ce12e424ec26

SHA512
e69f7b3e5762704d174d1d5f7bc58c17c0e3d00a7da1438fa6ac1ddae209f94d596390152df31b98cfef893e33f8653030163bda846839d59bbe0eb9bd99b5d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1fd7ceccb2a05ec293ce878b0bf828f7

SHA1
7bcc8d7aa88eea22c60c0772b5312455dfe79fb3

SHA256
a3f5ec1b64a80a0f8c13a74d6249c6a4273d1cdccd6ffe2e2963b4963700c585

SHA512
41fbc746331bbb01111436ae2e259f33c04465cdf8c6a5df535c789adbf849b16c5186adb7dbbf0fdfa594b11f9bf16ed740df2090c4f6e46a30c25678fcbe3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RFe59981f.TMP

Filesize
3KB

MD5
143a4813f24392831d3926599778cda6

SHA1
9fb10c224ebde8d65acc2a87b6e3c7ffadd11c4e

SHA256
90fca410f07bc65eda7a7224bd081127be6b87544b2399dc830682fb6333f82b

SHA512
6d3d33fdd4d0740689a4a7b0e23878848b1fe4fb3af05cb8b658a6f8ac179112cbcc274a6916e1f7e42f0bf41e1c583b0942a5afba96e3a4ccc6913f10b3bd32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f4bb7ebbbdff298554b879fcf3cf82aa

SHA1
dc5489d67daeea9d44f18c1c67230142379b6e7b

SHA256
4de894f4cb968f916dcb0dd20e744a191f45a666c45897fd695cb3fc7f6f8bde

SHA512
044e779792bf291ebc02efc510cdbef9efd0cd91350f8da42e5bb9fc458ed9f8ebc870d359745335fdb966a3e78682925da95ede2b12c54464a98a6b11eb7cb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
920a122856851f399f92872ed091b21e

SHA1
54491792d210fb27eae285ce71a372091297649d

SHA256
daaf0d3198aa039e9defc31bb920cc2f4bb332d4f676aa50cb857d6949482838

SHA512
50efe6e0b085911e40baa2ed79f6ef16343e3a3ce6e59d5c10b1a321df0aeb352f8fa3823de12a15c80b403c4806e4ca59b78a45e87af38f0d39aa6cbd33a95e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
41d3e8e3e62c4c9069d5aff8ce92c1c7

SHA1
d4e67c2a7564a76636c266e0d6fa9a17564e6c26

SHA256
7bf660071fe7a1ad21cc9309dccb8bed7a59d29f5483214bfd8ea5d1e9b4467d

SHA512
c542332e35ddb2de2bbf55f0a5b29e0a057fbd6664e0d9fce5f0e4c28139f95f81214e521934121b5e9791c909d35b635e79f9305a22b633edec0832567b1b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
36a8982e62947ef6859a6c09933bf95f

SHA1
bc7f09532c3b6118f03cefbacfec41c17d9a4840

SHA256
70a039a02497c92b96aa6b317447d2c65af841467333707ce40c16452e8f0a03

SHA512
b284fe87b04186d2b18a9970393c6431adc213d6271b074cfeb5e0b4db4b785ac7df3b8ab72c87e00e83962aea72f78281fcae3873a1bdc5378b26f277032a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6a0ea2807cada91baccc444e822b4041

SHA1
0e307bd2735317d34c07943e14281a156ad51139

SHA256
7c859d0ad483f6491ca08b518e58c423e92f012e271dcda5da508a2071dc1f46

SHA512
b09c2cd3d20812d58f18c55df14963e15bc69b31ef1b53c72b6b76fca6165ad768cee6f639f66c4a32e360c5e6d303df299613510a1d4fcb42b7aa6c16209bae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
48e557b4e7694b2a906f52d736454966

SHA1
12231dcb13de9292c37b00dcca225cf8a775d9f7

SHA256
e8055378999d81b0801571a1c12a8553fc2cbb01f797f8f60d56e7bbe82559b8

SHA512
d4139730072870d64cf71f3b8385e9ed6032bb9ce8a221fdd6454a7f022cc2ce8d12e84837cf9f0d3b71b7648c2356271a333262ccffc0a31f201b09c4760e82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f7c2fc52d6a6d0732f79b792a56dd2c3

SHA1
aefd7303fd71fe93837048d49868ecaeb4531c83

SHA256
0d96b74cfe46b3ffb78e849512691fbac983461cfab2115482170b00c6acc226

SHA512
99299fdeb471b8f4c1a255456f5b0c896ded067c31ce1c66fb8bc97e85b3a474744c59803dd0c42019a9cdceb96417d65b94366edc870951742203c89a88eaff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1e5242d29e4ef9a14cc510e8d5b68cd7

SHA1
c424b8081952fad9610be6628c0e1355423caf49

SHA256
c2bc886ddb31163e774359ea555aadd8741c8ac428c1999e99f532e76584423b

SHA512
a319e2bc2e096da0031d822f298b450c218625f050e3765386b7f9868bb0a08617fdb1c2e8ba8373a3ad6df059f5b79f0f2402700fc8e90d8a33a22af64539c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d0a5b87d8906e47411a8f5fe0d747dee

SHA1
c0e3e2657f296b8e276868c13e7953e44fbef767

SHA256
898e3baedf04135d6192edd14ab1756e5689a4392e55c905af3f2bbe1a357077

SHA512
9befd6e9f75895849e5545b606838dc209fe17bf34ea2a5c72d7849a581c7799374ee1604c7b869b63be61b3baf1a5ebfed2c80af9d93f11355fdfc37e79ae79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe58b447.TMP

Filesize
1KB

MD5
7568b71580d19513af07fa86dc9dbe17

SHA1
2bf7ccc4d0da9abb9b7dbd5eae23c0baa297c001

SHA256
5b2fd7b1324d8123a61417541b6f838bc48b107f454328c7cc4ed45ebc7cff36

SHA512
cffe12d8e92ecccbef0cbcf3960ff737db5a31d91abc8b87f67a76285ee459d188460dfc38a1652352fa807062188e9489bc49df7ff43c826f74c1239acd915f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a2cd77a3-dbb3-4732-8532-1badd9677b32.tmp

Filesize
4KB

MD5
3af0e24a17f5076c4c44959f6700b8a0

SHA1
c2f469e7a014d15184436b2283bcb21aa7dbe10d

SHA256
6a4ef064b98d4bd554da3f542971003916dfe03bfb2d37e4dfcf51bedab08ea7

SHA512
4391c9585f79013bbb8092533be2743b1428d93c4e0ef60bcbb501fea1f1262f79f6e31c1374a6811297d0f315609ddf52bb1bb393a405184ae8cb8e2327e56c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3238aa6e449f634ba180f9f7aec2915

SHA1
23434e2e62e897b863a18fd3709f02a0d0f3f5ed

SHA256
f00b0b96e2450a56dd140127787cb379cf10d13224deb47035c3c00751fb7caa

SHA512
b2f66e8b85d73c3ca43a4af9df5bec0f9ddc0798a5fda364b9501fac21ba02d5bdac070a2fc6123f80d4df4e314295db2fec35794ce95a3f8ce3b747e859e182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af880c7fbbfda4507a5f729dc95a494e

SHA1
76f4e309be9e1b8598246d4991c01284e62704d3

SHA256
8dc15724eb4db53fef44ea0e46b640944eb7c1fed4674dbb3de20ea8ffc098bc

SHA512
ba8dd8a17f97732bc18a12af7beaa0349fb33c1f825d7e4b0d1dbb2be0d6f51f879e1f88a82e5ff3b72971ab280ab9e7d78802e42e8598111258eacfffd2d2c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dda7874bdf6326a0b44c9b7966d7f175

SHA1
4d0369a06a0ac6ec5496e579cef004cd615fc71c

SHA256
cd66f5ebbc8923ef2741c030c71d64c348db72aad3b653cef72986b9074f71d1

SHA512
4664d04a02cad75b7608d517d2b0bb6304139a99d6f0b5a4eb6859253c6679c20838fa36f018aedf1bb38da3a66df0768ad68ef243c1d103c4584bc4cb666b93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f5fe8ce3c261dc16463b91c1a4a268b

SHA1
0d3e5f2ec20eaaf3c758bcb9f67292ac333d42f9

SHA256
d825aea417c9a40486870b8965809a12246bc24a85fc2ecd5c5636ce19164c09

SHA512
84e364c3f7586ce8fa24da8c32be083f1c49c843511769f6b0549fd3de1b9dc96bcec1c3f84857bdacba410d4c6706bf170900cee316abb375731242576832b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aad772ae9a60d03cf821d6e22782113c

SHA1
0099d37acd1370407f0ca2d77d64af19576acddc

SHA256
b683fefd2ea2db822c9651d25ebbcb2027da157fb3f8014ab6567b516670dcd1

SHA512
f947041accb589307d5929a4d3e319139e096ce89f87e637df7dea5b1ba4c43daedc71d8cbfb7aeb78c54291a501c511efdd01e03498552c49ea4b4428c8cbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
03f605a9119fe379c1f9fa083037ae7d

SHA1
853f995ad8737a535bd490a92003e5e238f49299

SHA256
99075fb04779da02ff94c83725da6c96dba80cfe86209e51d1714134cce9de2e

SHA512
0fd7c09a12dcda82ba786d9edada3da625cbd61424189dc9af4971a3622728489d00290e86c92d0b14cd8d955e59c9dd8aea2df97cab8cb4e7fd4ad933a5ac3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bfe3ab4e537392bf7f975c7eb7b5e95

SHA1
35166d7574106d93a509108db1aca2bb44ec3cb5

SHA256
4bcfbef59ac3247a26bfc9c914f2bcb07c22ce35ff547dda58460ceceab71a25

SHA512
a18fa13972271a18a3824d958116e7cf6ff7cd25a4ab98e6ff33247bc0905483c6cc6876079f6301d86a72331cead6f5541a91f56dfade0f91cb1fad7a3f8664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
007da0a9cb1db9eea19ccd463825ffcd

SHA1
ab6938a3fef1ddcab5792d0226b0b65cbd12b8bb

SHA256
1f7d240a33cfb29f3e8ff2c3133a290ab0728e1a640702e00827e2bbebebc9ad

SHA512
1a9c62f41a22e2703fbd22541d6b26d3edc5252ab5708bf6b9ffde50ffabc17549bdd2a7445ea5a505c313d94c8e57a4ace11c597112d666d7d90166861f87e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7836d143b2d3e4401f2b56b86b6f822a

SHA1
fea09e2cae8f0f23860503e18b87dd83081c536a

SHA256
48c932fb4b97e926c94aeeed78cc12b07fad5c670fc63d4c90c0635d7bc9d936

SHA512
665252cf56b5964124c494e3872cca4c51271d76cff870640d20a292b9e3761d2572cbb6453f132b607041abdb1d703b774bb55b4342f130037a84604976420c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
131a6fae231cfc970d1ebc6739111e06

SHA1
469f7aa24160433e9621cdc85ffa14b7e3564182

SHA256
9ab6ace40d2b310357400d2e5a0aa1f5ea7e7be06669eb76f1e2decc7355b3c4

SHA512
b2bea3507c6db149eb176cae71c5ed317815d8a1c28f7be908972a97855816466dab6d4557ca0cf5eb0a08897d3b58865f07202ad824887ac4bc6b9136688e69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19874a4ed45d15c29183be7f9994b007

SHA1
9f4f7440c86f12203fc5d741ef17895b31f982e9

SHA256
177cb5a52a6a8c2490b063085c1300ea279ac4c194f2154a14aac7229512fc3e

SHA512
917c64c1e2fbfebc6e2c53d1199f10900107dabdc25852675b96e4444303317f917e34ccb629ef89d8cf767d4f19c7a9cbb08b53a5338e2038182f71f0c93a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63c1645876ff318f7c4a42c4930654b4

SHA1
bd53eac34cd53fea4f687b0ee8fd299daf3258e2

SHA256
2d38a5a7996c6a563926928b7ea11d388f13f2477a1fb00214348d10f943b434

SHA512
2d5b3fed09208980004af355b6f1a933db32febb8f6a11ef5b85c4bbbb67a4e77d5c1b7d295693c09cf1799e234b298bb553f0029ee5bb508e7dcbead8093a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
793d6a6228a29ffd907c3ec9161e9bed

SHA1
6e4fdaed794a06e410fb3db2997583cdaa5aabc3

SHA256
86b46bc3454615f46349e8b3a377884dff49e01392fcec750e265663a9a6c2f5

SHA512
9483e12491f4c07c739eb94dfd88dec19dceafd71347fe07c3ffb8eb9f35fd009da3b764665184a5f6768b9108dcedbf0289fc3fe64919d70157faca9bc68e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58cd1f.TMP

Filesize
9KB

MD5
5930c8ed3860a00ca641c6486e859c57

SHA1
33efaa978edfcb91c0562370301d24d501fce969

SHA256
aa4b4e33d8bd7745f14b7e35f10740b20d6d2d0c1201950990223de20c471f65

SHA512
bf982ff33bad27cf89d4c635c7937e89fea0af484e492b17f7a4a8a095000c91d60ab1ce0bdc427f198200fd467d79453cefa99320d10f2cbb9c06004662f87a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
af70cc6a429c78df55c6df2bdb6e5336

SHA1
16debbd4f01f551ee9a120d83da2306f331b5efd

SHA256
6a1ecbf6a3bf6695b943506e984dae91b9f77ae83713a3e3677366c71b7ee841

SHA512
2ec8d535e2877a08e89e3008dc00167cadd816c43237c113f71f51c0514fb819b8dc30dcd667ff2058e452740e32919ef44bd682f3007e718fbe5432f23ba9e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
778ce2981876b42641b6840cf2e88ef1

SHA1
dc659297748e36b9263eb4e8a7be36518b3bdfd7

SHA256
eefbad856a17d7b47a5d90fe50dfbd2b497c1ceb02977f3767b809492b9a6854

SHA512
eef0e94ea61bd685fe26e146f86f69b7143394e50ca190b60848376fac582eee5cfa1f2f8c7ea3ee81106b33a6fcb3097a52ce70578aa47b26d8f058e64e2bc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
237B

MD5
beff7fa4b93d64ffe1a92120476e8e7f

SHA1
8e807b95b9cc238c410c46f09c89ca29f3df5b31

SHA256
36c0ddaa727b1be0fb1dc4dd27ef136edf1eba3d1080fc13665b869964193330

SHA512
263d48a8334ddb6f88a223f8a5857f5494001c88bd083870863575d034099ec6011c37eb435fdc2e615e0579cd947512e85c39ba6c286061bd2f2d9bce67ad1b

Download Submit
C:\Windows\System32\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/704-228-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/704-6112-0x000000000A570000-0x000000000A5A4000-memory.dmp

Filesize
208KB

Download
memory/704-7492-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/704-6163-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-238-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

Filesize
208KB

Download
memory/1072-4644-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-240-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-209-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/9792-26353-0x0000000005380000-0x00000000053D6000-memory.dmp

Filesize
344KB

Download
memory/9792-26352-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/9792-26351-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/9792-26350-0x00000000057F0000-0x0000000005D96000-memory.dmp

Filesize
5.6MB

Download
memory/9792-26349-0x00000000051A0000-0x000000000523C000-memory.dmp

Filesize
624KB

Download
memory/9792-30384-0x0000000006900000-0x0000000006966000-memory.dmp

Filesize
408KB

Download
memory/9792-26348-0x00000000006B0000-0x00000000006EC000-memory.dmp

Filesize
240KB

Download
memory/26972-30787-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/26972-30792-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads