Malware Analysis Report

2025-03-15 00:02

Sample ID 250220-cm8pqawlv4
Target https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware
Tags
dharma infinitylock bootkit credential_access defense_evasion discovery execution impact persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware was found to be: Known bad.

Malicious Activity Summary

dharma infinitylock bootkit credential_access defense_evasion discovery execution impact persistence ransomware stealer

Infinitylock family

Dharma

Dharma family

InfinityLock Ransomware

Deletes shadow copies

Renames multiple (675) files with added filename extension

Downloads MZ/PE file

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

Executes dropped EXE

Drops startup file

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Modifies registry class

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Checks processor information in registry

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-20 02:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-20 02:12

Reported

2025-02-20 02:16

Platform

win11-20250217-en

Max time kernel

214s

Max time network

216s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

Signatures

Dharma

ransomware dharma

Dharma family

dharma

InfinityLock Ransomware

ransomware infinitylock

Infinitylock family

infinitylock

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (675) files with added filename extension

ransomware

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Desktop\Krotten.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Desktop\Krotten.exe N/A

Disables Task Manager via registry modification

defense_evasion

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Desktop\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Desktop\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Desktop\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" C:\Users\Admin\Desktop\Krotten.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" C:\Users\Admin\Desktop\Krotten.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Desktop\CoronaVirus.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\Desktop\PowerPoint.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\Desktop\CoronaVirus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_100_percent.pak.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Modal.js C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoDev.png.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Cryptomining C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubStoreLogo.scale-100.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Dev.msix.DATA.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\IVirtualElement.js C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\be_get.svg.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-2x.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\devtools\de.pak C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover_2x.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\PSGet.Resource.psd1.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\MLModels\nexturl.ort C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v8.1.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mspdf.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-16.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.id-DA3E452B.[[email protected]].ncov C:\Users\Admin\Desktop\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchSmallTile.scale-100.png C:\Users\Admin\Desktop\CoronaVirus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\WINDOWS\Web C:\Users\Admin\Desktop\Krotten.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\PowerPoint.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Krotten.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\InfinityCrypt.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\InfinityCrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\InfinityCrypt.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\Desktop\Krotten.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\Desktop\Krotten.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" C:\Users\Admin\Desktop\Krotten.exe N/A
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\Desktop\Krotten.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\Desktop\Krotten.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" C:\Users\Admin\Desktop\Krotten.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844911868234210" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND C:\Users\Admin\Desktop\Krotten.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\InfinityCrypt.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA C:\Users\Admin\Desktop\PowerPoint.exe N/A
File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Desktop\CoronaVirus.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1528 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 1528 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 828 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3160 wrote to memory of 2056 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Spyware

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae58fcc40,0x7ffae58fcc4c,0x7ffae58fcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1876 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2188 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3104 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5044 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8

C:\Users\Admin\Desktop\CoronaVirus.exe

"C:\Users\Admin\Desktop\CoronaVirus.exe"

C:\Users\Admin\Desktop\CoronaVirus.exe

"C:\Users\Admin\Desktop\CoronaVirus.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5288,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5080 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4908,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4784,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5468 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4112,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5624 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5508,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5764 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=996,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\9bff1132454046cf8cae5cb05f367f23 /t 5936 /p 5932

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5228,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:8

C:\Users\Admin\Desktop\Krotten.exe

"C:\Users\Admin\Desktop\Krotten.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5320,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5444 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5452,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5840,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5868 /prefetch:8

C:\Users\Admin\Desktop\InfinityCrypt.exe

"C:\Users\Admin\Desktop\InfinityCrypt.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

C:\Users\Admin\Desktop\InfinityCrypt.exe

"C:\Users\Admin\Desktop\InfinityCrypt.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5644,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5924,i,4623085657839753293,3515095062445787943,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4380 /prefetch:8

C:\Users\Admin\Desktop\PowerPoint.exe

"C:\Users\Admin\Desktop\PowerPoint.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39cb855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 142.250.200.10:443 content-autofill.googleapis.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 content-autofill.googleapis.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 142.250.179.227:443 beacons.gcp.gvt2.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 142.250.179.227:443 beacons.gcp.gvt2.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp

Files

\??\pipe\crashpad_3160_TXEZVTKUBTFHARPH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 778ce2981876b42641b6840cf2e88ef1
SHA1 dc659297748e36b9263eb4e8a7be36518b3bdfd7
SHA256 eefbad856a17d7b47a5d90fe50dfbd2b497c1ceb02977f3767b809492b9a6854
SHA512 eef0e94ea61bd685fe26e146f86f69b7143394e50ca190b60848376fac582eee5cfa1f2f8c7ea3ee81106b33a6fcb3097a52ce70578aa47b26d8f058e64e2bc7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7836d143b2d3e4401f2b56b86b6f822a
SHA1 fea09e2cae8f0f23860503e18b87dd83081c536a
SHA256 48c932fb4b97e926c94aeeed78cc12b07fad5c670fc63d4c90c0635d7bc9d936
SHA512 665252cf56b5964124c494e3872cca4c51271d76cff870640d20a292b9e3761d2572cbb6453f132b607041abdb1d703b774bb55b4342f130037a84604976420c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 920a122856851f399f92872ed091b21e
SHA1 54491792d210fb27eae285ce71a372091297649d
SHA256 daaf0d3198aa039e9defc31bb920cc2f4bb332d4f676aa50cb857d6949482838
SHA512 50efe6e0b085911e40baa2ed79f6ef16343e3a3ce6e59d5c10b1a321df0aeb352f8fa3823de12a15c80b403c4806e4ca59b78a45e87af38f0d39aa6cbd33a95e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1fd7ceccb2a05ec293ce878b0bf828f7
SHA1 7bcc8d7aa88eea22c60c0772b5312455dfe79fb3
SHA256 a3f5ec1b64a80a0f8c13a74d6249c6a4273d1cdccd6ffe2e2963b4963700c585
SHA512 41fbc746331bbb01111436ae2e259f33c04465cdf8c6a5df535c789adbf849b16c5186adb7dbbf0fdfa594b11f9bf16ed740df2090c4f6e46a30c25678fcbe3d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7f5fe8ce3c261dc16463b91c1a4a268b
SHA1 0d3e5f2ec20eaaf3c758bcb9f67292ac333d42f9
SHA256 d825aea417c9a40486870b8965809a12246bc24a85fc2ecd5c5636ce19164c09
SHA512 84e364c3f7586ce8fa24da8c32be083f1c49c843511769f6b0549fd3de1b9dc96bcec1c3f84857bdacba410d4c6706bf170900cee316abb375731242576832b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f7c2fc52d6a6d0732f79b792a56dd2c3
SHA1 aefd7303fd71fe93837048d49868ecaeb4531c83
SHA256 0d96b74cfe46b3ffb78e849512691fbac983461cfab2115482170b00c6acc226
SHA512 99299fdeb471b8f4c1a255456f5b0c896ded067c31ce1c66fb8bc97e85b3a474744c59803dd0c42019a9cdceb96417d65b94366edc870951742203c89a88eaff

C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

MD5 beff7fa4b93d64ffe1a92120476e8e7f
SHA1 8e807b95b9cc238c410c46f09c89ca29f3df5b31
SHA256 36c0ddaa727b1be0fb1dc4dd27ef136edf1eba3d1080fc13665b869964193330
SHA512 263d48a8334ddb6f88a223f8a5857f5494001c88bd083870863575d034099ec6011c37eb435fdc2e615e0579cd947512e85c39ba6c286061bd2f2d9bce67ad1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dd8c6791145bd7604234509b17861ee0
SHA1 f2cd9823e242ee802f04146df932ea7551f025dd
SHA256 d4101284755893e22026a971a80fd9595afb9436af7cc9ee7fb7ce12e424ec26
SHA512 e69f7b3e5762704d174d1d5f7bc58c17c0e3d00a7da1438fa6ac1ddae209f94d596390152df31b98cfef893e33f8653030163bda846839d59bbe0eb9bd99b5d9

memory/1072-209-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 af880c7fbbfda4507a5f729dc95a494e
SHA1 76f4e309be9e1b8598246d4991c01284e62704d3
SHA256 8dc15724eb4db53fef44ea0e46b640944eb7c1fed4674dbb3de20ea8ffc098bc
SHA512 ba8dd8a17f97732bc18a12af7beaa0349fb33c1f825d7e4b0d1dbb2be0d6f51f879e1f88a82e5ff3b72971ab280ab9e7d78802e42e8598111258eacfffd2d2c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6a0ea2807cada91baccc444e822b4041
SHA1 0e307bd2735317d34c07943e14281a156ad51139
SHA256 7c859d0ad483f6491ca08b518e58c423e92f012e271dcda5da508a2071dc1f46
SHA512 b09c2cd3d20812d58f18c55df14963e15bc69b31ef1b53c72b6b76fca6165ad768cee6f639f66c4a32e360c5e6d303df299613510a1d4fcb42b7aa6c16209bae

memory/704-228-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 af70cc6a429c78df55c6df2bdb6e5336
SHA1 16debbd4f01f551ee9a120d83da2306f331b5efd
SHA256 6a1ecbf6a3bf6695b943506e984dae91b9f77ae83713a3e3677366c71b7ee841
SHA512 2ec8d535e2877a08e89e3008dc00167cadd816c43237c113f71f51c0514fb819b8dc30dcd667ff2058e452740e32919ef44bd682f3007e718fbe5432f23ba9e0

memory/1072-238-0x000000000A6A0000-0x000000000A6D4000-memory.dmp

memory/1072-240-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Windows\System32\CoronaVirus.exe

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-DA3E452B.[[email protected]].ncov

MD5 43cbedb883ee8102c53b12e2f71eb769
SHA1 c6d7e0189d49f4b423a78eb9b4beabfb96e827e1
SHA256 8f36f62e27308382c6a77da0f2deb958d2df7432a96385cc6ebaf67801021ede
SHA512 ec8b777c6e024e8965433db66f0c40e464a4740a8235264f7f65976679345c484d6196f4245045fe25a8065ff5a67aba81287a0294cb4eaf0781b366c02426c5

memory/704-6163-0x0000000000400000-0x000000000056F000-memory.dmp

memory/704-7492-0x0000000000400000-0x000000000056F000-memory.dmp

memory/704-6112-0x000000000A570000-0x000000000A5A4000-memory.dmp

memory/1072-4644-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f3238aa6e449f634ba180f9f7aec2915
SHA1 23434e2e62e897b863a18fd3709f02a0d0f3f5ed
SHA256 f00b0b96e2450a56dd140127787cb379cf10d13224deb47035c3c00751fb7caa
SHA512 b2f66e8b85d73c3ca43a4af9df5bec0f9ddc0798a5fda364b9501fac21ba02d5bdac070a2fc6123f80d4df4e314295db2fec35794ce95a3f8ce3b747e859e182

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

MD5 5a1706ef2fb06594e5ec3a3f15fb89e2
SHA1 983042bba239018b3dced4b56491a90d38ba084a
SHA256 87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd
SHA512 c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 36a8982e62947ef6859a6c09933bf95f
SHA1 bc7f09532c3b6118f03cefbacfec41c17d9a4840
SHA256 70a039a02497c92b96aa6b317447d2c65af841467333707ce40c16452e8f0a03
SHA512 b284fe87b04186d2b18a9970393c6431adc213d6271b074cfeb5e0b4db4b785ac7df3b8ab72c87e00e83962aea72f78281fcae3873a1bdc5378b26f277032a45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe58b447.TMP

MD5 7568b71580d19513af07fa86dc9dbe17
SHA1 2bf7ccc4d0da9abb9b7dbd5eae23c0baa297c001
SHA256 5b2fd7b1324d8123a61417541b6f838bc48b107f454328c7cc4ed45ebc7cff36
SHA512 cffe12d8e92ecccbef0cbcf3960ff737db5a31d91abc8b87f67a76285ee459d188460dfc38a1652352fa807062188e9489bc49df7ff43c826f74c1239acd915f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 131a6fae231cfc970d1ebc6739111e06
SHA1 469f7aa24160433e9621cdc85ffa14b7e3564182
SHA256 9ab6ace40d2b310357400d2e5a0aa1f5ea7e7be06669eb76f1e2decc7355b3c4
SHA512 b2bea3507c6db149eb176cae71c5ed317815d8a1c28f7be908972a97855816466dab6d4557ca0cf5eb0a08897d3b58865f07202ad824887ac4bc6b9136688e69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58cd1f.TMP

MD5 5930c8ed3860a00ca641c6486e859c57
SHA1 33efaa978edfcb91c0562370301d24d501fce969
SHA256 aa4b4e33d8bd7745f14b7e35f10740b20d6d2d0c1201950990223de20c471f65
SHA512 bf982ff33bad27cf89d4c635c7937e89fea0af484e492b17f7a4a8a095000c91d60ab1ce0bdc427f198200fd467d79453cefa99320d10f2cbb9c06004662f87a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 793d6a6228a29ffd907c3ec9161e9bed
SHA1 6e4fdaed794a06e410fb3db2997583cdaa5aabc3
SHA256 86b46bc3454615f46349e8b3a377884dff49e01392fcec750e265663a9a6c2f5
SHA512 9483e12491f4c07c739eb94dfd88dec19dceafd71347fe07c3ffb8eb9f35fd009da3b764665184a5f6768b9108dcedbf0289fc3fe64919d70157faca9bc68e4b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 19874a4ed45d15c29183be7f9994b007
SHA1 9f4f7440c86f12203fc5d741ef17895b31f982e9
SHA256 177cb5a52a6a8c2490b063085c1300ea279ac4c194f2154a14aac7229512fc3e
SHA512 917c64c1e2fbfebc6e2c53d1199f10900107dabdc25852675b96e4444303317f917e34ccb629ef89d8cf767d4f19c7a9cbb08b53a5338e2038182f71f0c93a90

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d0a5b87d8906e47411a8f5fe0d747dee
SHA1 c0e3e2657f296b8e276868c13e7953e44fbef767
SHA256 898e3baedf04135d6192edd14ab1756e5689a4392e55c905af3f2bbe1a357077
SHA512 9befd6e9f75895849e5545b606838dc209fe17bf34ea2a5c72d7849a581c7799374ee1604c7b869b63be61b3baf1a5ebfed2c80af9d93f11355fdfc37e79ae79

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 63c1645876ff318f7c4a42c4930654b4
SHA1 bd53eac34cd53fea4f687b0ee8fd299daf3258e2
SHA256 2d38a5a7996c6a563926928b7ea11d388f13f2477a1fb00214348d10f943b434
SHA512 2d5b3fed09208980004af355b6f1a933db32febb8f6a11ef5b85c4bbbb67a4e77d5c1b7d295693c09cf1799e234b298bb553f0029ee5bb508e7dcbead8093a29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State~RFe59981f.TMP

MD5 143a4813f24392831d3926599778cda6
SHA1 9fb10c224ebde8d65acc2a87b6e3c7ffadd11c4e
SHA256 90fca410f07bc65eda7a7224bd081127be6b87544b2399dc830682fb6333f82b
SHA512 6d3d33fdd4d0740689a4a7b0e23878848b1fe4fb3af05cb8b658a6f8ac179112cbcc274a6916e1f7e42f0bf41e1c583b0942a5afba96e3a4ccc6913f10b3bd32

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a2cd77a3-dbb3-4732-8532-1badd9677b32.tmp

MD5 3af0e24a17f5076c4c44959f6700b8a0
SHA1 c2f469e7a014d15184436b2283bcb21aa7dbe10d
SHA256 6a4ef064b98d4bd554da3f542971003916dfe03bfb2d37e4dfcf51bedab08ea7
SHA512 4391c9585f79013bbb8092533be2743b1428d93c4e0ef60bcbb501fea1f1262f79f6e31c1374a6811297d0f315609ddf52bb1bb393a405184ae8cb8e2327e56c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8bfe3ab4e537392bf7f975c7eb7b5e95
SHA1 35166d7574106d93a509108db1aca2bb44ec3cb5
SHA256 4bcfbef59ac3247a26bfc9c914f2bcb07c22ce35ff547dda58460ceceab71a25
SHA512 a18fa13972271a18a3824d958116e7cf6ff7cd25a4ab98e6ff33247bc0905483c6cc6876079f6301d86a72331cead6f5541a91f56dfade0f91cb1fad7a3f8664

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1e5242d29e4ef9a14cc510e8d5b68cd7
SHA1 c424b8081952fad9610be6628c0e1355423caf49
SHA256 c2bc886ddb31163e774359ea555aadd8741c8ac428c1999e99f532e76584423b
SHA512 a319e2bc2e096da0031d822f298b450c218625f050e3765386b7f9868bb0a08617fdb1c2e8ba8373a3ad6df059f5b79f0f2402700fc8e90d8a33a22af64539c9

memory/9792-26348-0x00000000006B0000-0x00000000006EC000-memory.dmp

memory/9792-26349-0x00000000051A0000-0x000000000523C000-memory.dmp

memory/9792-26350-0x00000000057F0000-0x0000000005D96000-memory.dmp

memory/9792-26351-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/9792-26352-0x0000000005240000-0x000000000524A000-memory.dmp

memory/9792-26353-0x0000000005380000-0x00000000053D6000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

MD5 4f4deb2c6d655eab59e42a0651a73949
SHA1 b25219344ac7a79b614187b6c6066671b63e7d94
SHA256 332a68697ba39b377777582a87c5a1da265d14d3acf360e7e49244b1377cf79a
SHA512 5aa7f31603a6a58f64a0ddea68ba8ae7e54a78f7fbd70312dd46548e3f315ea4be146a4f6592c22c95fbceac92e6929eec1aa8b578c04d1e2b37cc42da69f99d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

MD5 29e5a84d566228c1bd69bc09103f196b
SHA1 14377aa9255d7de710366ffedf2ad8422ddb16ab
SHA256 e8ac0d2c48234effb3802dcdd1b7624a9279f1dac3319487047e7250076d1173
SHA512 f48aba1611eca3d72d1229015f46238dfaac1a71787b1ad4dcbad1c048af8861d646fc13c824b76de04b049ba1720bc82f1cea5b3e956c7a3a40d7f5337e906b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 007da0a9cb1db9eea19ccd463825ffcd
SHA1 ab6938a3fef1ddcab5792d0226b0b65cbd12b8bb
SHA256 1f7d240a33cfb29f3e8ff2c3133a290ab0728e1a640702e00827e2bbebebc9ad
SHA512 1a9c62f41a22e2703fbd22541d6b26d3edc5252ab5708bf6b9ffde50ffabc17549bdd2a7445ea5a505c313d94c8e57a4ace11c597112d666d7d90166861f87e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 48e557b4e7694b2a906f52d736454966
SHA1 12231dcb13de9292c37b00dcca225cf8a775d9f7
SHA256 e8055378999d81b0801571a1c12a8553fc2cbb01f797f8f60d56e7bbe82559b8
SHA512 d4139730072870d64cf71f3b8385e9ed6032bb9ce8a221fdd6454a7f022cc2ce8d12e84837cf9f0d3b71b7648c2356271a333262ccffc0a31f201b09c4760e82

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dxcompiler.dll.id-DA3E452B.[[email protected]].ncov.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

MD5 72fb2f9a24dad391162e49b44e4f51d3
SHA1 49a99cec833bc49eb6ed745d1b4036b00480fb14
SHA256 250cfeb6bab06e7da476ddc8e36fd5c573a5c4dcefe9d033edf7a36dfe0389ff
SHA512 33f25342d34cc931d4289c3445c7262793c38400a7102d37b22f20cd00b9baa8ac2ab4197e95a58f383b2ca2211e6b1ed6d96797744f454b77183ca670de559f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 aad772ae9a60d03cf821d6e22782113c
SHA1 0099d37acd1370407f0ca2d77d64af19576acddc
SHA256 b683fefd2ea2db822c9651d25ebbcb2027da157fb3f8014ab6567b516670dcd1
SHA512 f947041accb589307d5929a4d3e319139e096ce89f87e637df7dea5b1ba4c43daedc71d8cbfb7aeb78c54291a501c511efdd01e03498552c49ea4b4428c8cbe6

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\delegatedWebFeatures.sccd.317E6DB7F6301F8047FB673324D0911F527B24E86C0F929E7C8752982A2DED39

MD5 cef56a33910e46e440fb4b9bc7fac983
SHA1 7179e33f75d07b965707b3e77df275dcdcc5b366
SHA256 83dc7514840464b081fec5147cdb0e3e93fff1b1dd3d3e9996489ca13a9f2ec6
SHA512 e0d83aa10a52de372b17b2af474b9e3f7c936f42ffe78b47c41777afb25ed22ce6d8fce397bb83ce051e55217f94093822043658c770bf5132480641ba924579

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 03f605a9119fe379c1f9fa083037ae7d
SHA1 853f995ad8737a535bd490a92003e5e238f49299
SHA256 99075fb04779da02ff94c83725da6c96dba80cfe86209e51d1714134cce9de2e
SHA512 0fd7c09a12dcda82ba786d9edada3da625cbd61424189dc9af4971a3622728489d00290e86c92d0b14cd8d955e59c9dd8aea2df97cab8cb4e7fd4ad933a5ac3c

memory/9792-30384-0x0000000006900000-0x0000000006966000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 41d3e8e3e62c4c9069d5aff8ce92c1c7
SHA1 d4e67c2a7564a76636c266e0d6fa9a17564e6c26
SHA256 7bf660071fe7a1ad21cc9309dccb8bed7a59d29f5483214bfd8ea5d1e9b4467d
SHA512 c542332e35ddb2de2bbf55f0a5b29e0a057fbd6664e0d9fce5f0e4c28139f95f81214e521934121b5e9791c909d35b635e79f9305a22b633edec0832567b1b3a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dda7874bdf6326a0b44c9b7966d7f175
SHA1 4d0369a06a0ac6ec5496e579cef004cd615fc71c
SHA256 cd66f5ebbc8923ef2741c030c71d64c348db72aad3b653cef72986b9074f71d1
SHA512 4664d04a02cad75b7608d517d2b0bb6304139a99d6f0b5a4eb6859253c6679c20838fa36f018aedf1bb38da3a66df0768ad68ef243c1d103c4584bc4cb666b93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f4bb7ebbbdff298554b879fcf3cf82aa
SHA1 dc5489d67daeea9d44f18c1c67230142379b6e7b
SHA256 4de894f4cb968f916dcb0dd20e744a191f45a666c45897fd695cb3fc7f6f8bde
SHA512 044e779792bf291ebc02efc510cdbef9efd0cd91350f8da42e5bb9fc458ed9f8ebc870d359745335fdb966a3e78682925da95ede2b12c54464a98a6b11eb7cb4

memory/26972-30787-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

memory/26972-30792-0x000000002AA00000-0x000000002AA24000-memory.dmp