Analysis
-
max time kernel
344s -
max time network
347s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2025, 00:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://streamtoearn.io/
Resource
win10v2004-20250217-en
General
-
Target
https://streamtoearn.io/
Malware Config
Extracted
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Extracted
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Fantom family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (664) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file 4 IoCs
flow pid Process 113 3020 msedge.exe 113 3020 msedge.exe 113 3020 msedge.exe 113 3020 msedge.exe -
resource yara_rule behavioral1/files/0x000b0000000240a5-27336.dat office_xlm_macros -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation Fantom.exe Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe -
Executes dropped EXE 14 IoCs
pid Process 5020 WinNuke.98.exe 672 CoronaVirus.exe 5716 msedge.exe 21672 CryptoLocker.exe 21840 {34184A33-0407-212E-3320-09040709E2C2}.exe 22452 {34184A33-0407-212E-3320-09040709E2C2}.exe 20936 msedge.exe 20684 msedge.exe 20180 msedge.exe 20532 Fantom.exe 17412 Fantom.exe 17736 msedge.exe 17232 msedge.exe 16260 WindowsUpdate.exe -
Loads dropped DLL 7 IoCs
pid Process 19768 msedge.exe 5716 msedge.exe 20936 msedge.exe 20684 msedge.exe 20180 msedge.exe 17736 msedge.exe 17232 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1170604239-850860757-3112005715-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1170604239-850860757-3112005715-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 112 raw.githubusercontent.com 113 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Compression.Base.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_mi.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fil.pak.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdm.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js CoronaVirus.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\id.pak.DATA CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jsound.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Internet Explorer\en-US\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\icu.md CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-unplated_contrast-white.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.id-CFBE28CC.[[email protected]].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7068 vssadmin.exe 22488 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 824397.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 875959.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 6192.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 363008.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 825095.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 16844 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 msedge.exe 3020 msedge.exe 4596 msedge.exe 4596 msedge.exe 4688 identity_helper.exe 4688 identity_helper.exe 2464 msedge.exe 2464 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 3952 msedge.exe 752 msedge.exe 752 msedge.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe 672 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 17100 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 19540 vssvc.exe Token: SeRestorePrivilege 19540 vssvc.exe Token: SeAuditPrivilege 19540 vssvc.exe Token: SeDebugPrivilege 20532 Fantom.exe Token: SeDebugPrivilege 17412 Fantom.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe 4596 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe 17100 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 760 4596 msedge.exe 84 PID 4596 wrote to memory of 760 4596 msedge.exe 84 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 1900 4596 msedge.exe 85 PID 4596 wrote to memory of 3020 4596 msedge.exe 86 PID 4596 wrote to memory of 3020 4596 msedge.exe 86 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 PID 4596 wrote to memory of 3500 4596 msedge.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://streamtoearn.io/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff971f146f8,0x7ff971f14708,0x7ff971f147182⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5716 /prefetch:82⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:82⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6216 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:82⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:752
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:672 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4760
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:2832
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:7068
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:21568
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:22060
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:22488
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:22276
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:21964
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
- Loads dropped DLL
PID:19768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2248 /prefetch:82⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:82⤵PID:11292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5716
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:21672 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:21840 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:22452
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:20936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1164 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:20684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:20180
-
-
C:\Users\Admin\Downloads\Fantom.exe"C:\Users\Admin\Downloads\Fantom.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:20532 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵
- Executes dropped EXE
PID:16260
-
-
-
C:\Users\Admin\Downloads\Fantom.exe"C:\Users\Admin\Downloads\Fantom.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:17412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:17736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17232
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1604
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:19540
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\e8d89aef93d94ad4977d1e545b3889b5 /t 21972 /p 219641⤵PID:21524
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\fbfc2ceeb77342cb9ac583b9aecf0461 /t 22308 /p 222761⤵PID:21164
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:17100 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Zloader.xlsm2⤵
- Opens file in notepad (likely ransom note)
PID:16844
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
1KB
MD5e0c0ae085b19cd92757a8c5d6c4c2890
SHA154b10bfc7a1280dd11c270fb8ad740150a098024
SHA256a392652ed8ef9095dd6da4fff470eb79fa04b537c2f2cbe5424c6c0e866cfe2a
SHA512fc5e39a5d812626f6f40fa4492c6fe2a7543526ffec92cd477c29d5dbc42caf3b3c73e594569b6eecf8b2e7fcc186c3f11b1e8599c4b97a037b4dfc2d62dc8d8
-
Filesize
1KB
MD513f393b8a71942a781d642de9b6b920a
SHA13ef9d0b5c31343cabd5ab658b453c68b8ebd8757
SHA256f6ce199375771793763f4ebdaa7f7dd2bdcd7863084ce4ec127fb2fa32e8ca9d
SHA512d7f468a53de53bb9e007bbd81c8c4609b2cdcf115a0ab62c54c54490d10c4c178d2002136ffb8b23c33226293a526644da32bd627e33dcb9333cf1933481873e
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-CFBE28CC.[[email protected]].ncov
Filesize2.7MB
MD5dbb5f2e6ca632421d7b3cacc9139a387
SHA11a959935ce53b69dca9c1d0177a1dc062e1aa3b4
SHA2560fdca5867517a704efde058714016bbd29afc6134e36d78a94e73c19fa0ffdd4
SHA512bccfbfbc805c407beb80d10c060d7f661e1e9dfb32f6f81e48a7925d20acbcd4a4c00a6765c0fcfb02096347710d9cb5b9d43fa68c52c81e863c372a7c1a0505
-
Filesize
152B
MD5e77abac3d03f5b27ca6d587bff7cfce4
SHA12398274b1f425b428b6860d225d691ccd6cac355
SHA256eb56f6b62d68039ebff870d1968be6d2499c3ef9046555c20b1623eaeadf5c03
SHA512bfb7aa7973e3ef57df95a42c7ce0e7ec1fa4afe0276802f38f3791e4a4d2aa9af300887fbca7297b75276415ecae7cc7ac0c413a3c95345e7b3354407c770a7f
-
Filesize
152B
MD571678a9de9a3336190ff95537cd87a7b
SHA19e213afb4f6397c8e64c2bcb8cd36931845a0474
SHA256ac58d2d4beb00dc62fb0a5b50cac02d2529cb51733065ca5f1763bd810371c3c
SHA5125f402598e4533d1a25e802353387725753ce54c7638515f91d80db2eed13ee9a676ae401e47ab424f57bdd5f3d6b75e577027fee10ded7cea0d99cbbd3c0c937
-
Filesize
2.7MB
MD5a46af05a14bf13c4d2dfdad802c8fedb
SHA16bc23c26addb2ff9b8552084bbcd5736c8e969e6
SHA25673741cd0fb61b93351dd78c11279fee0dbdccbfa534776657c82f50e6e85a4a7
SHA512e7e3bc56bc39719758867144a6d3a34d3747e014cb4c39c2ac19cd4dfea3e8b4410ca7dc9083b515c199263daee4aa54d21cd2099258d1b2e65076b4ff0c7670
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD546662349d932e6bbf394cefd34625313
SHA102cb7a8c13414fdae7fe38c3067865dea6e2b5c9
SHA256b16d3ba230943ec5c32cb09d330cc623cd0a6da16a5e0e2efa8d0a5d066925dd
SHA512928d190fb0617ebfd7ef0f0fa2e5fe3ce176a161f3aa16be60dda5b6943b794e51be33ba118bde3a21f41c7a8e2281d80183947f89a1852c8971da316c78e2c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD58ab1b6afc898c123f8fad493260381f8
SHA122fc7a234c1121e8e3521e0a6c81dd930cc64f6d
SHA2568a47618c1e4e0afed1802bbb6d7176c5b02798b7b67309d8c035c7e4aca4619a
SHA512a22d61a8dd192b28427a9298776c97bddc35fb955f10dbc661a473d3ae6ce0127eb8c2e62b0ce346ffdc54ebc7d7e59e45f1b8c4142a43e885a10211ec9c4314
-
Filesize
1KB
MD5e34f48cd64d8d6567de389b865c08ab4
SHA1aa641eba2201862624a67a164fd4d86f0d177b36
SHA2563c3d82f3ae116d082333ff9763ab5a86f70ba0aded2c7757e4a673fa7298e1f3
SHA5127bc0ef8d964be59270a1333135e42c18a7cea0aee360b1a472e29aedf9bfbfeabbf2b1999ecc37203521d77ef60494599d996d6eb3e9c9b7396b27b3921318aa
-
Filesize
1KB
MD5f2e3b3759e901cf29aa428fb0ee1b27e
SHA1ef1a6b020648ea39acb8eb703208155917609998
SHA2561a40d46aaab4b8cde6dad9b34bf41b90c1b36a62761c62c405e3ae36b7cd1b16
SHA51254373b6847a12dc0d1c7272c55541b63b80e905016025fd3fbb2cbb1e69282aaf5b4c502269ce473bc49f6da832b3ffcbd2f236686df1de952b4c3e15e3e8033
-
Filesize
5KB
MD59c9de85b592b9e5aae7cdd90f5f14606
SHA115929d08bd724d9827b851fa58ad1daa1c19e3c9
SHA2562a0c3150f8961ebbcea9a887756920393e0a7d20d0b6865a7b56d1752771d786
SHA5127906352119097f6e81a762acc88e336371fd4f0e46098e7990f842984185decaf3585dee1f534cce43a8727636748471dcae4c3c7c1c7e4d0b1e94af9ba98736
-
Filesize
6KB
MD536caa19562badac74485c85eb83710cb
SHA1a7ee194d80e433d0864c5a8f83c5fe611924e49d
SHA2563caa83d391209a2a7072630be27e9eef7de4eab88d7b8e3ee920d54fd3430fb2
SHA512d162fcb7f510f6f1cc4a0232c5fecf3b8db18556cc439c19d41687ec21a32b5bae036b9fbfd9059d78c7bacd549102cfe4187cfc02e3a5f324795f0ce0904c40
-
Filesize
6KB
MD593d20fbbfe8c1b8d9c18f0dcbf5b4b7a
SHA11555bdf60ac1442e6f47c941b310cf111cb81c51
SHA2569ca01765bf3388d3889908f0b214ae4ef1d1e44f4dcf1d3a369bf12de74f9d62
SHA5127c50d19db80fb62090cf7243050fbe7a0013e9acbbfd3e9cc213e71baae9f1c4b854e6ef5dc8039b52831e868fba319eabbb558006e16e6bafda42ef1e47a4b8
-
Filesize
7KB
MD51b02d8fd607c830d707a79992a9dbec3
SHA13fce9fef4ae7b669e90cd31f206aa82ccbe7181c
SHA2569e3db50eee40ece88ad5ed7bbf1c19ec2fe016cbb9a13b005ef7b3f0f6d38d95
SHA5129a96afd74aaeb07b2ae5e7b07f79463cfcc9931683ffec9de2e95c24842fb475b6a719839200b8e7a95105107e99ff9306a5a2557c0c681240c7128403784efe
-
Filesize
24KB
MD54b1e7acd32825c7f744f494e7081e758
SHA1eed26dc816512e0fa20db9c7d3fe946a2d7fe516
SHA256253253417e3ebff861efe55924d12a6508f7a322b2c0cfa79fb8ec635cef9ffb
SHA512d8c055b43d75b029908d10cb2d5310f99fdfaa741a406bd9cb2c6a7d606eaa1373dc8ae256403572ef9dbf60315505134fc668c9525cf76638c895a5d2f083c5
-
Filesize
1KB
MD5864a32b7df99ec7f27a325772b746063
SHA1dd54385b07b8fb820238cc2e4bba4cc36fe57efc
SHA2567df482d421d73a96a15d4273e16c5a3b246975f0763d7de3cf809d407fac7d8d
SHA512f538b00bef08f3142b24fef95cede1e3f1df3d1fd7663ae1a5f56b7164e57ad3e4a6f195c8dd525a161cb7fe2f47041b4ca4849c2e5664b968e82debe7f27b3d
-
Filesize
1KB
MD546398eecf5e3631fe22aaa53de125e1a
SHA169219b71f2b1242779005312f029a6714182213e
SHA256a6d533a823195a6cca2408b5c005c27e7097d2eaa4e21003145075517cada93d
SHA512f235bdf7defb3e318bcd5535c4ef4f1fa142aff0c7e77a6c3dbf5cb534234365bb9495ed7253c4db565091791754cea2f7b96b7fd6b18cc659ca406b8b624211
-
Filesize
1KB
MD5f1cef90d56bed0b9d9b0fe7f9b945b0a
SHA13677b8f7a8b503569d2b918bf503e219379c9f8e
SHA2565752df09882d8f130744ab450cbb0b302af1cb7eb1213a6bd6bf0e39cf539d6e
SHA512719b28852e9cd8f72ad9ecf4ab4961e6b7944205bbd5054da4f73b186877d6e741fe22031ae1c5343ad9bfeca8cd5478b670ede45bb8dbf5c3a533ba065ea440
-
Filesize
1KB
MD52ecba00f54d23d49fc84487e2a844c33
SHA1dc92fb2ddd172b306a6958ee7d63bf57b79b1265
SHA256e96d02d5bc1c35860b48f793d49ee7a1a9b7dca17e7275fb185a043e9a3cead7
SHA5129dbe01bd1bbeddbc88b7fe02180bf9e06e67a467dc945e635c5b63a1378592c275ac30ca1efa41931800ff4404da2d8408420b7a83625170dd69e451f69481f1
-
Filesize
1KB
MD56fd316f591a41942f2baed8d4d85db04
SHA1d1f56176a00eec0a59fc39f0cac916ccfa332fc3
SHA2569a25d9c08fca0c7a3891614bce0389962429a5a1931787aeb781b0b097d5f20c
SHA512b502220d63a4c4f9020abeacf72e2f06c15229d4a05c2fdfa6e3128a608feda2126eaf8455cbcb8e743717a1d2c51e8f7ae40e2f0a6eb9d18982d43ba270865c
-
Filesize
1KB
MD5142784187c95167a36fb9f7241de773a
SHA119c5a3784f6fae9250bcee63f31092c87179c287
SHA2568b01c118adcc2c61ab3f0c84ccf3776c29a74541e375269e64b91df3cc5af473
SHA512a9d9c553f709667cc589a4eea0a020649760b85465d12668fa7a0ddddaa3e8c3fed5ad01c4f32250f5e39df555d7e54f87a1c444d20cf27e33775f85606ae309
-
Filesize
1KB
MD5a3e71ed2351160ec7f94ce3313af6368
SHA1bca0b8926acab49e85c4aaae563e18b01789f08c
SHA256575e8d9543eaec14c91e5f6ed806aef99c14cd1e9c811cdddb2b5e755e1c7b58
SHA512c6dfff2671f34390ec502d6844d7a280d994c042a06c6dfaa1ffa58b813e6a4fdbffc6640a9f5cdc3efb43aefc5d3930bb6b6906f1362f327e42a31bbaa6098b
-
Filesize
1KB
MD5cadd7f8ab04dc7bfc713d9e6a347ed76
SHA14189add575694dc7d8c57bdc430763a4ab476dd1
SHA2560d21aaaf4e13f95cf6066762be5d366ec2df77828554b105151b74aaa4f5b1c1
SHA51220fa18fa483d888609cb8561a364581f9ca5d3278f12edec72b7961d8ff946417cf88fcde204a595c5a0d871e65b6a60a0271e5d9f8ceebc9a2d20f6c2ef6a96
-
Filesize
1KB
MD5c304509a2cddeaea0437dafefbe48857
SHA1248ee27f338a6c4aa71d3117467cfc2474469e47
SHA2563fe8db5c6b61bd7156e8a56d22f9654afed1a07130ee9e77dde8e0b99232232c
SHA512d4169fd486c626e85ffe50b6f371851a924a23d23d91816e76f239e0f4c232cab5a3c1db184c20f4bb6f449f0ea80c1cb7cca4a3851dabf7263ac4dc32b3743b
-
Filesize
1KB
MD5f8d90d4275158d072b50db4e0afeb933
SHA161b5e3125fc641445d06efe3657d089016b5b595
SHA25601d6155c9c3c339150ff6ff99b171c65847bd492fe0e7dd00fc729007df79a11
SHA512d28c8986267a7e62b5941416db0a8cd238cc28ab30926ca7936a42b6814c3aed76167955819f3bf7eb63db147b6d3e0b41e7e4cbbbe1fb4fb961d1286235b527
-
Filesize
1KB
MD50b3081ae26ff7fc568c0ab612822b67f
SHA18427ddbae1f3c1a0de0827e8843fe1aa336e5c54
SHA256d4bb59e5c982fa4af0c20aaf2fd4557bea466d5561920089363505d4d90f0ad3
SHA512e9273f018ebb16097efb74da2bf7ae0d0a23a732cda67c7a767ced4a769d521278a5c843adcf04abc68d6c4d3dd25abc57a9556159867356fdf367364980cb90
-
Filesize
1KB
MD5445605bad3259cd60c8becb2621317de
SHA1354cbcf374982338addf969e4661415808306861
SHA2564d8dadae68d2248e58eefb740f64cb4ae4d576540ba718ee85453cc47aaf7aa5
SHA51254e040d265261f98dd625ca7097db1105b0c0511b11a7320ab7dbd347e799b0e58be3e1d1e79cb3c32783680d25e7bd39d161da70ab6d7cdbda5d1c782113cfe
-
Filesize
1KB
MD5e142c3b734913df8d0062bce3ac59e61
SHA1a7f718484e714a958b9adb46cc642d9c87a62365
SHA2561df2421e96712549436037ca55de642d2859dd9ac7a79bc9459ec11f2f442798
SHA5127b60d3b5cf89fda5f55d3926060f38b550239fa126abd8f380e82acc23e7279d3e8ccfeda37cfc8a5cb8b883b781af3bd717f5d573c5347cd60b69f3aa6b31ef
-
Filesize
538B
MD5dfd1abf2e9a05e3c8142c761c884a0b7
SHA1fede2cd363613844dcca4b9d85303093c30a4c57
SHA2564c0e4a5d62f2b6352bfd717a19c06ec74315dec4d532895af067f2743e5ad5fe
SHA512dc7649de0c9f6d3ab3d0f5d11198c7c4e48727c9c286d7bc7866c2cd1b0d6ce6f8ddffd04228c90ffc0a7dd53845e3c23c2c0f4abbce5e851549d82fee0a15d9
-
Filesize
1KB
MD58435987c74db87c0b10eb2d612c53b73
SHA14181000905e82889892387b44846ffe0f48e8b55
SHA256d9d419251e9af5c3eda8a69bfb3fc267ca1c27b21d37fbd73c4f6c22ccfb2dca
SHA512e80f5826261e23602020f09a1ccf38165b64a55cb1e72c746e71cc78b9f0aca7cb8138fb57d060b28e5765b995291e935c33a2382dcd1e1338de351ffe9bee48
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
11KB
MD5316f0a39cd9f34a0da9ce476fb8b2451
SHA1e3d1d4dec88ea2c2f87ed45f1fa4e20c9624bdc7
SHA256b40043c367008e735e454a7f85958da71d914e599dbc3415f8d14c499241ea1f
SHA5127539ec8034d3f982b8ec621a35c3d5629f0f6a89ef52e6423bd16aed8113228b1a5e4f806a573d72ca564028366ed9ea9208788770c278265f59a20c5bb3689b
-
Filesize
10KB
MD51ed2d1e0e39233177d68a3a959403d14
SHA11173f39dace903d7b5bca7090188436ed54cec66
SHA2563cf218c9b05a4f20083c444d94f4e0fde93f0fee60e7e6a13db794730b8f0f2b
SHA512db73c56e6748bc21096eaad350f0762e0810fa873543b50b5e6744d37feba3521fbc6f300a739979dbf326962c814b14d2cdf4f16cbd6bf9c1d6400bff388993
-
Filesize
11KB
MD55b11dbbd6385cb4b2ced2ccc2e31f276
SHA157be4ef8a13f8eb775b0d162d5f32d9b0924e0df
SHA2567592696e8725fd7aba176aec3a9babf04ceee5b8a9d54e8242e9826440b652cf
SHA512bf7fe41ac30420aca5beec7bb68d4968b44773761fa3dfa8a9273923d4f62b1b3d1f79b9d6eb771cc9f7e9716dd158c525d4e23fef70aaddcbcbc972db8aeeb6
-
Filesize
11KB
MD5a05cb3928cd3cabd9e2565354d48061f
SHA105a49b93a36caedb76bb24ca82ee550992611276
SHA2562b835278d78e43c0af6786111b269a5d4f9fd5dafe387501166aacd81d7cb556
SHA51273f82a8571ecfd9891fddb66573d95a36f3d85ad658469880593aeb6d439c52a978f5a6de763ad4b2aa36b8007f72573b92ac4a91afc46961801cff3898ad282
-
Filesize
11KB
MD5e548fc097ea01736aad089c97c4a5d7c
SHA1c9efb9cd3a62c8398b639a88c9347b828fcdd4d7
SHA256bddf2d64bfe2577a3934ccc83cfc9b6f70c13dab7c05de9819d27274767bec77
SHA512f48769bc19f4f21215e2bff77b7f06cc86fc375c12d5498771ad93a297489414f1d631ce1c886d97e67906c812ea6c39f30cfebf38864f0633d0f1d4d1436bc4
-
Filesize
11KB
MD5c1e43af33a4fc9205fd395fa16170405
SHA1663434bc707fc40277bc0ff41fcfbb08e096e309
SHA256305bfbd97e4e7c211ea1a20548d24e45886d20013d135a3801d164343375986b
SHA5121072a29b99aa4da1d752f561bc3c81a8c70389a77a030f4d895ad8daade8a4388671df0f67177aaa5b76b27357470153b80a7edc7ad2f26e41aac9c8b7c81962
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
93KB
MD5b36a0543b28f4ad61d0f64b729b2511b
SHA1bf62dc338b1dd50a3f7410371bc3f2206350ebea
SHA25690c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c
SHA512cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037