dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3[.]0[.]exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (774) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 3 IoCs

flow	pid	Process
107	4432	msedge.exe
107	4432	msedge.exe
143	4432	msedge.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	MrsMajor3.0 (1).exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 12 IoCs

pid	Process
4592	MrsMajor3.0.exe
1596	eulascr.exe
2768	MrsMajor3.0 (1).exe
3364	eulascr.exe
368	CoronaVirus.exe
4324	CoronaVirus.exe
21228	CoronaVirus.exe
13592	msedge.exe
18956	msedge.exe
19348	msedge.exe
20052	msedge.exe
20644	msedge.exe

Loads dropped DLL 13 IoCs

pid	Process
1596	eulascr.exe
3364	eulascr.exe
13592	msedge.exe
13592	msedge.exe
13592	msedge.exe
18956	msedge.exe
18956	msedge.exe
19348	msedge.exe
19348	msedge.exe
20052	msedge.exe
20052	msedge.exe
20644	msedge.exe
20644	msedge.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000c000000024046-377.dat	agile_net
behavioral1/memory/1596-379-0x0000000000880000-0x00000000008AA000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3920955164-3782810283-1225622749-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3920955164-3782810283-1225622749-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
105	raw.githubusercontent.com
114	drive.google.com
141	raw.githubusercontent.com
142	raw.githubusercontent.com
143	raw.githubusercontent.com
148	drive.google.com
106	raw.githubusercontent.com
107	raw.githubusercontent.com
113	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\3DViewerProductDescription-universal.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ar.pak	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoDev.png.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-125.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OutlookAccount.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\1.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons_retina.png.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\rtmpal.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\msvp9dec_store.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\bn-IN.pak.DATA.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.id-7B550D40.[[email protected]].ncov	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
11412	vssadmin.exe
15812	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875762060104244"	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920955164-3782810283-1225622749-1000\{C74CECAD-EB40-4784-B2AB-FEC93840B8BE}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\MuiCache	wwahost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe
368	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	eulascr.exe
Token: SeDebugPrivilege	3364	eulascr.exe
Token: SeBackupPrivilege	17808	vssvc.exe
Token: SeRestorePrivilege	17808	vssvc.exe
Token: SeAuditPrivilege	17808	vssvc.exe
Token: SeDebugPrivilege	19800	taskmgr.exe
Token: SeSystemProfilePrivilege	19800	taskmgr.exe
Token: SeCreateGlobalPrivilege	19800	taskmgr.exe
Token: 33	19800	taskmgr.exe
Token: SeIncBasePriorityPrivilege	19800	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe
19800	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4592	MrsMajor3.0.exe
2768	MrsMajor3.0 (1).exe
19940	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3584	1316	msedge.exe	85
PID 1316 wrote to memory of 3584	1316	msedge.exe	85
PID 1316 wrote to memory of 4432	1316	msedge.exe	86
PID 1316 wrote to memory of 4432	1316	msedge.exe	86
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4440	1316	msedge.exe	87
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88
PID 1316 wrote to memory of 4400	1316	msedge.exe	88

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/MrsMajors/MrsMajor3.0.exe
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffc21a7f208,0x7ffc21a7f214,0x7ffc21a7f220
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1928,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2304,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4712,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4844,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5668,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3440,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5924,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:5764
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4592
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\88E7.tmp\88E8.tmp\88E9.vbs //Nologo
    3⤵
    - UAC bypass
    - Checks computer location settings
    - System policy modification
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\88E7.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\88E7.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=120 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6752,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3664,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6768,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
  2⤵
  PID:364
- C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe
  "C:\Users\Admin\Downloads\MrsMajor3.0 (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2768
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EE09.tmp\EE0A.tmp\EE1B.vbs //Nologo
    3⤵
    - UAC bypass
    - Checks computer location settings
    - System policy modification
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\EE09.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\EE09.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6368,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5828,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7004,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6920,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:4316
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:368
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1680
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:8124
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:11412
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:12456
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:14572
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:15812
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:14148
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:14180
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5764,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:13592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3652,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:18956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:19348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4968,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:20052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4212,i,11589796974108958127,12412077191002366791,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:20644

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\CoronaVirus.exe
1⤵
PID:3316
- C:\Windows\System32\CoronaVirus.exe
  C:\Windows\System32\CoronaVirus.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:21228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:17808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mshta.exe "C:\Windows\System32\Info.hta"
1⤵
PID:14296
- C:\Windows\system32\mshta.exe
  mshta.exe "C:\Windows\System32\Info.hta"
  2⤵
  PID:15240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\AppData\Roaming\Info.hta"
1⤵
PID:14388
- C:\Windows\system32\mshta.exe
  mshta.exe "C:\Users\Admin\AppData\Roaming\Info.hta"
  2⤵
  PID:15200

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\420bdb5131e64fc5aa76481b34a4cf02 /t 14172 /p 14180
1⤵
PID:18964

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:19800

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:19940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery