Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 6, 2024, 6:21 p.m.	July 6, 2024, 6:32 p.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`055d1462f66a350d9886542d4d79bc2b`
SHA256	`dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0`
CRC32	`84E2BA75`
ssdeep	`24576:FRYz/ERA0eMuWfHvgPw/83JI8CorP9qY0:FE/yADMuYvgP93JIc2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

CoronaVirus.exe "C:\Users\test22\AppData\Local\Temp\CoronaVirus.exe"
2632
- cmd.exe "C:\Windows\system32\cmd.exe"
  2808
  - mode.com mode con cp select=1251
    2980
  - vssadmin.exe vssadmin delete shadows /all /quiet
    3024

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 6, 2024, 6:22 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 6, 2024, 6:22 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 6, 2024, 6:22 p.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
file	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.id-7C6024AD.[coronavirus@qq.com].ncov

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 6, 2024, 6:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gfids
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	STYLE
resource name	UIFILE
resource name	WAVE

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 6, 2024, 6:21 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2024, 6:21 p.m.	process_identifier: 2632 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0afc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00403000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00404000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00408000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00409000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00413000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00414000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2024, 6:22 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00418000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

CoronaVirus.exe tried to sleep 615 seconds, actually delayed analysis time by 615 seconds

Creates executable files on the filesystem (3 events)

file	C:\Windows\System32\CoronaVirus.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\cmd.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000001bc process_name: taskhost.exe process_identifier: 2464	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000001bc process_name: CoronaVirus.exe process_identifier: 2632	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000022c process_name: cmd.exe process_identifier: 2808	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000022c process_name: conhost.exe process_identifier: 2876	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000338 process_name: mode.com process_identifier: 2980	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000338 process_name: VSSVC.exe process_identifier: 812	1	1
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002fc process_name: svchost.exe process_identifier: 2120	1	1
Process32NextW July 6, 2024, 6:23 p.m.	snapshot_handle: 0x00000288 process_name: cmd.exe process_identifier: 2616	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00000800', u'virtual_address': u'0x00137000', u'entropy': 7.275896533150478, u'name': u'.text', u'virtual_size': u'0x000006c6'}

entropy

7.27589653315

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00036a00', u'virtual_address': u'0x00138000', u'entropy': 6.849800305883355, u'name': u'.rsrc', u'virtual_size': u'0x0003696c'}

entropy

6.84980030588

description

A section with a high entropy has been found

entropy

0.212632594021

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 6, 2024, 6:22 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 319 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000001bc process_name: CoronaVirus.exe process_identifier: 2632		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000022c process_name: conhost.exe process_identifier: 2876		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002f0 process_name: conhost.exe process_identifier: 2876		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000338 process_name: mode.com process_identifier: 2980		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000030c process_name: vssadmin.exe process_identifier: 3024		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000304 process_name: vssadmin.exe process_identifier: 3024		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002e8 process_name: vssadmin.exe process_identifier: 3024		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000348 process_name: vssadmin.exe process_identifier: 3024		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000338 process_name: VSSVC.exe process_identifier: 812		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000300 process_name: VSSVC.exe process_identifier: 812		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000284 process_name: VSSVC.exe process_identifier: 812		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002fc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000031c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000380 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000380 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002f8 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000032c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000039c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002bc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000230 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000364 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000280 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000358 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002f8 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000035c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002f8 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000358 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002bc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000230 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002ec process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000304 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000310 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000340 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000039c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002bc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000364 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000230 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002fc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000364 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000364 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000290 process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x000002fc process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2120		0	0
Process32NextW July 6, 2024, 6:22 p.m.	snapshot_handle: 0x00000398 process_name: svchost.exe process_identifier: 2120		0	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe	reg_value	C:\Windows\System32\CoronaVirus.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 4385 events)

file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM42_05.png
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\Resource\ColorSpace\DefaultRGB
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_holiday\holiday_09.png
file	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_letter\letter_002.jpg
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\CCL\BY_NC_ND\S_BY_NC_ND.png
file	C:\Program Files (x86)\Common Files\microsoft shared\THEMES12\ECHO\THMBNAIL.PNG
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\ImageBullet\047.png
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM52_06.png
file	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSSTKO32.DLL
file	C:\Program Files\7-Zip\Lang\nl.txt
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\Resource\CMap\GBT-RKSJ-H
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\Setup.xml
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\fonts\c059036l.afm
file	C:\Program Files (x86)\Hnc\Shared80\Dics\SIGMUR.INF
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM27_02.png
file	C:\Program Files (x86)\Hnc\Shared80\Dics\inmyeong.DAX
file	C:\Program Files\7-Zip\7-zip.chm
file	C:\Program Files (x86)\Hnc\HncDic80\Help\HncDicctxkor.chm
file	C:\Program Files\Java\jre7\lib\zi\Europe\Athens
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\msvcr80.dll
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\ImageBullet\orange08.png
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_holiday\holiday_24.png
file	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande
file	C:\Program Files\Java\jre7\LICENSE
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACER3X.DLL
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\Office Setup Controller\Word.ko-kr\SETUP.XML
file	C:\Program Files\Mozilla Firefox\softokn3.dll
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_achieve\achieve_02.jpg
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\ImageBullet\red06.png
file	C:\Program Files (x86)\Hnc\Shared80\Fonts\ENBODBK.HFT
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\ImageBullet\073.png
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM20_03.png
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM28_02.png
file	C:\Program Files (x86)\Hnc\Shared80\Dics\haneui.inf
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_power\madang.ini
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM24_02.png
file	C:\Program Files\Java\jre7\lib\zi\America\Regina
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\MY_Hangulmuni\HM31_04.png
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\Office Setup Controller\ENTERPRISE\EnterpriseWW.XML
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\IMCGM9.FLT
file	C:\Program Files (x86)\Hnc\Shared80\Clipart\m_goal\goal_23.jpg
file	C:\Program Files (x86)\Hnc\Shared80\Fonts\ENGSI.HFT
file	C:\Program Files (x86)\Common Files\microsoft shared\THEMES12\CONCRETE\CONCRETE.INF
file	C:\Program Files (x86)\Common Files\microsoft shared\THEMES12\AXIS\THMBNAIL.PNG
file	C:\Program Files\Java\jre7\bin\java_crw_demo.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACEEXCH.DLL
file	C:\Program Files (x86)\Hnc\HncTT80\Data\eng2.dat
file	C:\Program Files (x86)\Hnc\Hwp80\DocFilters\Template\Html\Kor\Template_2.htm

Removes the Shadow Copy to avoid recovery of the system (1 event)

cmdline

vssadmin delete shadows /all /quiet

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

vssadmin delete shadows /all /quiet

Performs 168 file moves indicative of a ransomware file encryption process (50 out of 168 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab newfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab newfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\7-Zip\7z.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\7-Zip\7z.dll newfilepath: C:\Program Files\7-Zip\7z.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\7-Zip\7z.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\jfxwebkit.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\jfxwebkit.dll newfilepath: C:\Program Files\Java\jre7\bin\jfxwebkit.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\jfxwebkit.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt newfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt newfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\server\classes.jsa.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\server\classes.jsa newfilepath: C:\Program Files\Java\jre7\bin\server\classes.jsa.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\server\classes.jsa	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\server\jvm.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\server\jvm.dll newfilepath: C:\Program Files\Java\jre7\bin\server\jvm.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\server\jvm.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\lib\charsets.jar.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\lib\charsets.jar newfilepath: C:\Program Files\Java\jre7\lib\charsets.jar.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\lib\charsets.jar	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\lib\deploy.jar.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\lib\deploy.jar newfilepath: C:\Program Files\Java\jre7\lib\deploy.jar.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\lib\deploy.jar	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT newfilepath: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT	1	1

Appends a new file extension or content to 168 files indicative of a ransomware file encryption process (50 out of 168 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\osetup.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\OWOW64WW.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab newfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab newfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeLR.cab	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\OfficeMUI.msi	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\7-Zip\7z.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\7-Zip\7z.dll newfilepath: C:\Program Files\7-Zip\7z.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\7-Zip\7z.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\mshwkorr.dll		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll newfilepath: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat newfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\jfxwebkit.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\jfxwebkit.dll newfilepath: C:\Program Files\Java\jre7\bin\jfxwebkit.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\jfxwebkit.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt newfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt newfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt		0
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\server\classes.jsa.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\server\classes.jsa newfilepath: C:\Program Files\Java\jre7\bin\server\classes.jsa.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\server\classes.jsa	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\bin\server\jvm.dll.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\bin\server\jvm.dll newfilepath: C:\Program Files\Java\jre7\bin\server\jvm.dll.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\bin\server\jvm.dll	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\lib\charsets.jar.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\lib\charsets.jar newfilepath: C:\Program Files\Java\jre7\lib\charsets.jar.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\lib\charsets.jar	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files\Java\jre7\lib\deploy.jar.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files\Java\jre7\lib\deploy.jar newfilepath: C:\Program Files\Java\jre7\lib\deploy.jar.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files\Java\jre7\lib\deploy.jar	1	1
MoveFileWithProgressW July 6, 2024, 6:22 p.m.	newfilepath_r: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT.id-7C6024AD.[coronavirus@qq.com].ncov flags: 2 oldfilepath_r: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT newfilepath: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT.id-7C6024AD.[coronavirus@qq.com].ncov oldfilepath: C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\KRPRINT.DAT	1	1

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.DelShad.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Rootkit.th
ALYac	Trojan.Ransom.Crysis
Cylance	Unsafe
VIPRE	Gen:Variant.Brresmon.194
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00560a531 )
BitDefender	Gen:Variant.Brresmon.194
K7GW	Trojan ( 00560a531 )
Cybereason	malicious.2f66a3
Arcabit	Trojan.Brresmon.194
VirIT	Trojan.Win32.Genus.BZW
Symantec	Ransom.Crysis
ESET-NOD32	Win32/Filecoder.Crysis.P
APEX	Malicious
McAfee	Ransomware-GYA!055D1462F66A
Avast	Win32:RansomX-gen [Ransom]
ClamAV	Win.Packer.MalwareCrypter-6620810-1
Kaspersky	Trojan.Win32.DelShad.cnt
Alibaba	Ransom:Win32/Crysis.ali1020005
NANO-Antivirus	Trojan.Win32.DelShad.hbhyer
SUPERAntiSpyware	Trojan.Agent/Gen-DelShad
MicroWorld-eScan	Gen:Variant.Brresmon.194
Rising	Ransom.FileCryptor!8.1A7 (TFE:5:6uIZvQjslpQ)
Emsisoft	Gen:Variant.Brresmon.194 (B)
F-Secure	Heuristic.HEUR/AGEN.1314047
DrWeb	Trojan.Encoder.3953
Zillya	Trojan.DelShad.Win32.406
TrendMicro	TROJ_GEN.R002C0DL723
McAfeeD	ti!DDDF7894B2E6
FireEye	Generic.mg.055d1462f66a350d
Sophos	Mal/Generic-S
Ikarus	Trojan-Ransom.DharmaCrypt
Jiangmin	Trojan.DelShad.ul
Webroot	W32.Malware.Gen
Google	Detected
Avira	HEUR/AGEN.1314047
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.Occamy
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Ransom.Win32.Gandcrab.vb
Xcitium	Malware@#2yjrdnzlmd95d
Microsoft	Trojan:MSIL/Cryptor
ViRobot	Trojan.Win32.Ransom.1062912
ZoneAlarm	Trojan.Win32.DelShad.cnt
GData	Gen:Variant.Brresmon.194
Varist	W32/Kryptik.DES.gen!Eldorado
AhnLab-V3	Malware/Win32.Generic.C3993407

CoronaVirus.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All