Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.
Malicious Activity Summary
Dharma family
Dharma
Renames multiple (684) files with added filename extension
Deletes shadow copies
Downloads MZ/PE file
Executes dropped EXE
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Program Files directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
NTFS ADS
Interacts with shadow copies
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-24 21:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-24 21:59
Reported
2025-02-24 22:04
Platform
win11-20250217-en
Max time kernel
215s
Max time network
216s
Command Line
Signatures
Dharma
Dharma family
Deletes shadow copies
Renames multiple (684) files with added filename extension
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-580533235-1933962784-2718464258-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-580533235-1933962784-2718464258-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-20_altform-unplated_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\OriginReport.Dotx | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-200_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\Example3A.Diagnostics.Tests.ps1 | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\de.pak.DATA | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\crashreporter.exe.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small2x.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\VisualElements\SmallLogo.png.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_UnplatedLargeTile.scale-125_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-100_contrast-black.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Rating.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id-B78F0F36.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-40_altform-unplated_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 27211 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0806583b-bf8b-4cc5-8bcf-5ffc2505c265} 344 "\\.\pipe\gecko-crash-server-pipe.344" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 28131 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdc331b9-ca37-421d-947c-ed45aa915b9c} 344 "\\.\pipe\gecko-crash-server-pipe.344" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3032 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dbda5d3-3126-4a81-8aaf-aaf81fa7448a} 344 "\\.\pipe\gecko-crash-server-pipe.344" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 2756 -prefsLen 32621 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e86c71-2d9f-422b-8d5c-449c7ce32919} 344 "\\.\pipe\gecko-crash-server-pipe.344" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4296 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4220 -prefMapHandle 4208 -prefsLen 32621 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {016bf440-8afd-40c8-b582-36f7bdb98a8b} 344 "\\.\pipe\gecko-crash-server-pipe.344" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17f30e10-2104-4bc6-9114-d807eb107d89} 344 "\\.\pipe\gecko-crash-server-pipe.344" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {829d31bb-680e-46b8-a69c-dd1ac8e5602f} 344 "\\.\pipe\gecko-crash-server-pipe.344" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27038 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {692c3b7e-21e7-4ade-ac9f-d1021cc59dcb} 344 "\\.\pipe\gecko-crash-server-pipe.344" tab
C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49787 | tcp | |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 140.82.112.21:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 140.82.112.21:443 | glb-db52c2cf8be544.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 127.0.0.1:49795 | tcp | |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | tcp |
| GB | 74.125.105.7:443 | r2---sn-aigl6ns6.gvt1.com | udp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\91c65c08-9b1d-426a-9d2e-9d6b8e114a49
| MD5 | 330f8a77e9e69ebb58a67026f6ca5fb6 |
| SHA1 | 977e077861e8edc9507bffb931b5999e3509023e |
| SHA256 | 04253526ca483a7f61827271798255388e1631b2e59f17e7a944a0f9d8017315 |
| SHA512 | 7a2ab00b6b23b45a435cdaa70424bcf2bf364beac2c18b4978e0657469f9089a9fe9b038891ddf3e74b687f58becb8d81c9f1b6600be17b5c53c29ea1c1d7180 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\ab9576e1-45e0-4a1c-a06b-395018b0fa4b
| MD5 | c6d9b52f90a2a50e2df4c2233bdf3f74 |
| SHA1 | 39a4270de92f049a1273807d1517671c579e1abe |
| SHA256 | 7a6fb239593d15df10884dae4a0c3158f8d0db21c1b054314f80e470af5c66cd |
| SHA512 | 9476ed5a2ebd30b0ccea426cffd0fdbba5b827e802b0851a33d212b799ac189be72add39dc50b5596258532d1d47975d9453f72c733eab3ae5eac4cee59979ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5beb3ee35e5c1af59ae823f13c8e11f7 |
| SHA1 | 1926ccd3e5d66306f6aad35ceb2ab306024e352e |
| SHA256 | 394014c72b9f1e2ee6322e6fa6ab070dd3d2d9623f1393bffeaea7ac69ea2835 |
| SHA512 | 2ed58b9ef8e1233e397b917415249dd9a5f7ed7c4553354ee835c8bcb7c219a82e0d566e2c54fedec4a1255de6e22d8e939e1abda8ad336fad2d72a414765559 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\4caf8a17-b2f5-466b-8261-f3657becbaec
| MD5 | 44cace5c1f65514b13946b022b1424f5 |
| SHA1 | 8fe92ac9c91fa497fdc8b22f9e56bcdf52181b2e |
| SHA256 | 2f86a52a297b004e3ce8b23ed94da862e3861333a811973406381969474fbce6 |
| SHA512 | 6d9687fe41882d0285fcdd56d3e0406ecc2e04f4024e84c2219968c1eb702f0fdcce647b9d28b7f310ed7aa2d60b82fd9a97e248e29be818f3d4fb49dd212365 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f756a355c3f7d4d2c645e95a61223ee5 |
| SHA1 | 4c1479b4b74a6d04f4c68b8e9c68afcf129efeb7 |
| SHA256 | 7f97a750c72931fdf16fc7372a791e5e1432aa5075bc6f88381162ccea1351ee |
| SHA512 | 65ae78cf0d4a2d2b28e5b7b5ef5ead6da6f0abea03c4ef3b794b2bc263fb5dbab7ca6c537ea7f712212d501a080ba6afcafe6d40c20c3115ab117ac13b80d650 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | bfaa081f5c9d28ea09dbaaedbbc3c3e4 |
| SHA1 | 4d969b169dbdb97cb4dafdcebb197118c7c9dd93 |
| SHA256 | 401f6f68b014750a3ff746632d60c8b056b9fc04010a837cf0efed38481ca351 |
| SHA512 | 2e7fbe6b84d53d94444eb2b35901e60b45787dcf747ada780cc49b3ee45fdf1e293e36410e120e217a5d83afba83e3e5f10a8ddffdb771b4731d5af67f28b133 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\activity-stream.discovery_stream.json
| MD5 | 694599d99a3473c1c373ba88a908851a |
| SHA1 | 1b585b6414637654d339445f7020c125d0b4fc8d |
| SHA256 | 584f769636cca50fb5736476b8df8cf3ff5e3a913f7c46da69879880309714d6 |
| SHA512 | 906675c31b3cd8d97ec669fa63572eb63d87d520fdd286c39a6b24fe6b97f7668f34154184e2fed39823eb1f35410edb6f44e9b924071a33643b9fab2b84e07e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs.js
| MD5 | 4205bda10e7227ecaa79e5f8b711425c |
| SHA1 | 3f1c9c5b47a9760e9eaceaba91b170ea84e5f7df |
| SHA256 | d7c877fa9b41c317eb537ae08a34d7296c778aba4ca02cd0ea79100d7df841d3 |
| SHA512 | 1d9fb7b6bfac90a92122a6c4d33de32d4de7518ba7387dce26c502ceb0fb98395bbf07529aade49aaad3927d1fb7fbb9a126006cbce13b58c0a5c4ae461763ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js
| MD5 | 86c3320308e092b0419aa44fc2985dcf |
| SHA1 | c667b3f618112608b4639464dd4e84de0bd01a2d |
| SHA256 | b7d4eb2ba2d27e4c1495d223efa535b75f79661c7e984dc35afa8eaf2a20efec |
| SHA512 | 82f877733f84913ff57e83978018abc6c451589958c6dfc2f7c44a427ca61f88b7ec06d67f66b81b5cf89d913c19998385911225ea9ce23aad826a0ec6227559 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d85eb5f5648733cf43c65a1a8caf112e |
| SHA1 | fb77e9284cc24114b3b49b667d049de97ba7a900 |
| SHA256 | 0db9f1a25f9ed0718abe120fec96b10120189107d467dc4da8baa765bcbaea2d |
| SHA512 | 3da87679a57706ecbccbf179dcd7d0c72c1eb871f2f13cd527b31f0c751ded6a8efd764c1ec97bfba6da9f43b1a82b626a1b2f3a0adde7fec06f77df88955af3 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js
| MD5 | b1fdf8642645a6e66da5ca1cfca3db64 |
| SHA1 | 96302c8800b92283e05b177a6849a5fc9455ff0a |
| SHA256 | c569f1bfc3da1ae46463c6840574a84b90bee61011b5c4d9349ff2b803290396 |
| SHA512 | 4e423a4be0f8cd08c9fbc4a7dd26eb8f80398dbe30797e01c3a62ec91009a909b76136b18d587af327ea405fef2b161a74602a1ae8893f300cb8271177921292 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\AlternateServices.bin
| MD5 | a7aa2535f32e7f17f4adbbc3860173cd |
| SHA1 | 0837ab2341354fd6cd6c59ecfed277b69c3ba1ae |
| SHA256 | f71832c8ecfcabe73ff7bb704a6cc67963bdf018cff606bc56ebe4f23e938b97 |
| SHA512 | 1f0f9aaacb5e34e1d21ac199e7780c620ea0fd32fd476ef852a24a2298e326ee03fd1460159888a27cf020507eef0038d168f57ec478d5c70e6307c9121845fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 4ceea0d8d2929f84c067441ce94aebfd |
| SHA1 | 47b3e7396bcd798c84dc0fc5ff9a0f79f6f01869 |
| SHA256 | 2d221cfd58bf056edb6ccdb8a3b2f2da521acacb15f7bbcf9d86de3f37d1f9e3 |
| SHA512 | b6082f984cdc5b6b8d9b0e76ba4d0f94923356a6b0584bd1fd43605c13313ad739ffdf6630dfdd06a8cd8cf6e9378e1f412983550c449889268090fcb9166e62 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\AB3B829517434EFA2FD3AF0A0BD74A71B44DF878
| MD5 | cd6901bda330f66a44f609d95175c81b |
| SHA1 | 7227e2429d1b263103b7decf410e3fc1d4bc2c4c |
| SHA256 | bbbd0250d22da79aa2bc5468e8e99929fac81df46903dd3f90abc500a2185262 |
| SHA512 | 3841aacaa98798f6dc2054ec1ad40acde511c1f2084d0fa97fdf40fd4f7e1df04c844607e5e197585cf0de507229c8c7d716f9b3bb888fb4580d90c7441c875a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\45B52D8C8914C42BBDEC58DE6C16E43B33677180
| MD5 | b7dafb282e9d0e91bdcbe105789a6f49 |
| SHA1 | 81ebbaa4cd2130d0dfe0dca457be4c9125498cbc |
| SHA256 | 4cc349f41eb5020b0f234e2fb0d88306f6cc0fcf88efee815eff79ea8cd54041 |
| SHA512 | efad380343a0ca3395448dadc26cf083617a0cebad7bfbea0bc3fa7061e1463735fd98788446eb8ca3d18b7286127866455f321c8dfeaf1db4a81dcf7728922f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\DA2624531BAB239256172FD7304575193E6592E2
| MD5 | eb35f7dc382c92896c642e938ce63f5d |
| SHA1 | 0f95fcc619fbd1f1d3cf1638cbf579d1e64e9269 |
| SHA256 | 4d52bf41e7c95e1917ef87ac27bc31d989a2d35c414b140673ab2058b3bde361 |
| SHA512 | a043b29c318ab8a6362a97a69004135277205304ee798cb426b10bc894dbf209d806beeba07ca97d1ec0b692e48a67164d36940cba56ce385fa484b5215a7f5c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\AD3CC0891E9946D0DB23F053C6BC26CF8D29F1F8
| MD5 | 581b0cdf59d14224f6e4ade9c4a8fb9f |
| SHA1 | c7c86a1cc904e030048c81bfedcdf9a89c8708af |
| SHA256 | b12cc51322227189b2ba733303363e093baf3264a4403e1140785d48677a44ab |
| SHA512 | 7dce15b799d908a8bdca413315a25e8e478ba9bd72fee7a0835a64e01b5776d12f34fa2d241984f748004865ef785309e9a3a14734403877673c6eb9dbdc9926 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 7cf6729ad70865328fb4d65764540293 |
| SHA1 | 21852f903bf9e3f3650c16a7d4bc41c533f16dba |
| SHA256 | 67cb37386a74f531f4a2fcbb2d7449c38f6590905230195ec46633e20687cefb |
| SHA512 | bc3345fb4666807d66c8a0237a3dc82e4f7a4ef4efba0cc4c1598fda91ee4302cac780838e59ba901ae5751a0fda776943b1ad2336ea0f8215c8b3f3afd3b997 |
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier
| MD5 | dce5191790621b5e424478ca69c47f55 |
| SHA1 | ae356a67d337afa5933e3e679e84854deeace048 |
| SHA256 | 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8 |
| SHA512 | a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641 |
memory/3352-687-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json
| MD5 | 66bdbb6de2094027600e5df8fbbf28f4 |
| SHA1 | ce033f719ebce89ac8e5c6f0c9fed58c52eca985 |
| SHA256 | df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc |
| SHA512 | 18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js
| MD5 | 1b76b523bc2184d6f26ec5c24db8eb18 |
| SHA1 | 0dee55790b2d7dfa811a5741c394e829f21957b2 |
| SHA256 | 13716a314884bae56f72cbff578cd433e00fb356956083482452ddd33edb513d |
| SHA512 | 4c3ea2b99c87b7c7d13101395079b9bd81ac6b00ae7fca411afeeeac932e9688359c870612492aa750576bb5a8e8171d4c0ed942d316c2b729037ba39ffe71b4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5a2e7a6ffa6170eceda462df079c6813 |
| SHA1 | 5bb622d41bc273419549bcc538b1c31470897411 |
| SHA256 | a2aa22af385ee46a7b3f620890b00e23f99c8fd576979fb7f9820779096f7a4b |
| SHA512 | c5c22b2931b5635d7f937f679c57eeedad74a2ed6eb0066f7a2166909ad6228da6efaa48b768072aee5bcb8438f16ef713e7d5fadad43af6a335dd1233247a22 |
memory/3352-773-0x000000000A6B0000-0x000000000A6E4000-memory.dmp
memory/3352-775-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-B78F0F36.[[email protected]].ncov
| MD5 | 30c9763b9464e55d114ce976836c1dc4 |
| SHA1 | 231167ee99281fc7dbaa702872ebb8f4674a1ebb |
| SHA256 | 9b5c950923255d18c197af59ccb569659f70c050f94182db73655a9d9c0047e6 |
| SHA512 | 94c7dc850bcc0d7f64369549148b6bfa781e6bc36e35e6f6c3929f48a04bab83f34b94339eec0684a502eee1e3bd2960c12070036951f6b7ade012a418c0857e |
memory/3352-5975-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\xulstore.json
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\startupCache\scriptCache.bin
| MD5 | e6ac015f2ef89d234ac445a401f4e3db |
| SHA1 | 6908a28ebde3949b9c82b788aa2f252d019f0f3d |
| SHA256 | edb472dbb612c29be5c248656b1c98b08bba7f6222f8941fb3214aa35879284c |
| SHA512 | 63933e5c26f6b777a86c2c278a3d6967b808d293c2bf445cc94cd7321469c439d0dd9f60a80b35a8e618a36c8486fcfc609fcdb8f4a5c349d87b1fdf31f7e619 |
memory/3352-22891-0x000000000A6B0000-0x000000000A6E4000-memory.dmp