Analysis
-
max time kernel
334s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-de -
resource tags
arch:x64arch:x86image:win10v2004-20240910-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
14-09-2024 12:07
Static task
static1
Behavioral task
behavioral1
Sample
car.png
Resource
win10v2004-20240910-de
General
-
Target
car.png
-
Size
2KB
-
MD5
e1698e3caafc06f3b00a98eb5909b2ab
-
SHA1
2907a45bf6cf1e392664bccb8c05e1a5724fe01c
-
SHA256
052215bee4c3ccb1c764edc26f6d28d78486868a68ac88844ac98296cf628ac9
-
SHA512
dc3bf1dbc2ebe504cc68896ab7cde52f53282603d630a5354d74731857644d16175fceb0fedf19419153e02c2fcc73f6a51d7188a41cbe6ead5ceae311308125
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Nicht bestätigt 565082.crdownload family_chaos behavioral1/memory/3660-975-0x0000000000840000-0x00000000008CE000-memory.dmp family_chaos \??\c:\Users\Admin\AppData\Local\Temp\ajj5kcl1\ajj5kcl1.0.cs family_chaos C:\Users\Admin\Downloads\hehehehehehhehehehe.exe family_chaos behavioral1/memory/944-1230-0x00000000006A0000-0x00000000006AC000-memory.dmp family_chaos -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hehehehehehhehehehe.exesvchost.exehehehehehehhehehehe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation hehehehehehhehehehe.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation hehehehehehhehehehe.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 5 IoCs
Processes:
Chaos Ransomware Builder v4.exehehehehehehhehehehe.exesvchost.exehehehehehehhehehehe.exesvchost.exepid process 3660 Chaos Ransomware Builder v4.exe 944 hehehehehehhehehehe.exe 3808 svchost.exe 2176 hehehehehehhehehehe.exe 4968 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 110 camo.githubusercontent.com 111 camo.githubusercontent.com 127 raw.githubusercontent.com 128 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133707893163890137" chrome.exe -
Modifies registry class 36 IoCs
Processes:
Chaos Ransomware Builder v4.exesvchost.exemsedge.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629364133-3182087385-364449604-1000\{4485E356-D6D2-4F47-A3AE-841C8AB2CF8F} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Chaos Ransomware Builder v4.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Nicht bestätigt 565082.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 4784 NOTEPAD.EXE 3456 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
svchost.exepid process 3808 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeChaos Ransomware Builder v4.exemsedge.exehehehehehehhehehehe.exesvchost.exepid process 2840 chrome.exe 2840 chrome.exe 2992 msedge.exe 2992 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 3296 identity_helper.exe 3296 identity_helper.exe 2588 msedge.exe 2588 msedge.exe 3556 msedge.exe 3556 msedge.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 3660 Chaos Ransomware Builder v4.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 5020 msedge.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 944 hehehehehehhehehehe.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
Processes:
chrome.exemsedge.exepid process 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe Token: SeShutdownPrivilege 2840 chrome.exe Token: SeCreatePagefilePrivilege 2840 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
chrome.exemsedge.exepid process 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exemsedge.exepid process 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 2840 chrome.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Chaos Ransomware Builder v4.exepid process 3660 Chaos Ransomware Builder v4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2840 wrote to memory of 3100 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 3100 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 1712 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 4636 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 4636 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe PID 2840 wrote to memory of 432 2840 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\car.png1⤵PID:3784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdc870cc40,0x7ffdc870cc4c,0x7ffdc870cc582⤵PID:3100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:1712
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1584,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2096 /prefetch:32⤵PID:4636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:2568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4516
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:4004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4868 /prefetch:82⤵PID:3004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:3424
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4048,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:3504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=240,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:4228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3184,i,10936662311075854100,8578634639144698668,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3224 /prefetch:82⤵PID:1468
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc85c46f8,0x7ffdc85c4708,0x7ffdc85c47182⤵PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵PID:4856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:3752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:12⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:2732
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:82⤵PID:4024
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=4756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:3916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:12⤵PID:960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:2492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:12⤵PID:2768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=audio --mojo-platform-channel-handle=5456 /prefetch:82⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:12⤵PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=5796 /prefetch:82⤵PID:4884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6848 /prefetch:82⤵PID:4916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=7032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"C:\Users\Admin\Downloads\Chaos Ransomware Builder v4.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3660 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajj5kcl1\ajj5kcl1.cmdline"3⤵PID:3848
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BB9.tmp" "c:\Users\Admin\Downloads\CSCFDBC889C9FBB40809B996984B6627AAD.TMP"4⤵PID:4732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3696 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵PID:2268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:1320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7606379088807507981,9279705577912325842,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:12⤵PID:5072
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3336
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3080
-
C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:4784
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\read_it.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3456
-
C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"C:\Users\Admin\Downloads\hehehehehehhehehehe.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2176 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD508ec57068db9971e917b9046f90d0e49
SHA128b80d73a861f88735d89e301fa98f2ae502e94b
SHA2567a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf
-
Filesize
216B
MD52a5404673e2550998e5d23707ebf1d97
SHA1a7e6e0ddbe5e142f37ba63808194b7904b13152c
SHA2566f4de5382e012d399c2fea4e0c3f4077fa8ae467763a77e9c4263d2009adc363
SHA512125c82c707ff53f4b4605723bbef89b28c63ce19d49c8bb4be64e67c02bc7d75a807bb3a9fc0f58697d8840f166da8b70abb33eb3cb061a6f466c5c9482ddb2f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\29b77399-c1d6-4121-99fe-30378a517039.tmp
Filesize2KB
MD5c406b0f2941c43010481704ed71b077e
SHA19722d5f8f4be07a6177ae8df7a273234d4981cdb
SHA256fc6d1e314b54854d2c5249b52a163b9365b57e2b533efdb5eb0cd4176acff9f1
SHA51208a009c83dc6bf5f240c916900a002a2be035e73d69b141f3278ab7287be5d5783de90f52b0611745f4d9392bce8ac29954dd3ed812aa85ae54b7bb4c19fd4f2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5aeb37f31eae459c00592e872dddc4b4e
SHA12186a7ed4b50b61718438fd49f6d862e080cf65c
SHA2563dd8d95a1a343557246c7795b8017b184a9a331ec07f9cd3ba6e711cb81eab6f
SHA512d3b5793fa6533a2498e1f1cfb7042fed6eb9bffc9dc49c1ca80d77caace255efdbd3c2651d188e41f0f1d5eca48005a818a6ecb4290edff9e19e7ad7f475da44
-
Filesize
356B
MD53af1244a3e3e46b1d0939bbca0c6bd99
SHA1489a68c8178208dab0ae0d8f72af6a3ce2d6b8b5
SHA256047fa218a5f30989d991aa3a6d0221cdbca68dea4a96b1ba4460fb7beb331ed9
SHA5126962f038039e2e7524e2939e086d687e2e9bcaf20c203a612f264c7f9ee65e77980b041859d6f370a4cbcb8e3293eaebb1343e1a1b58d0666793a6b603ff3131
-
Filesize
9KB
MD5bc7048392f8a61eed925b5ecae5eca1a
SHA11e521a0817e955e3f0060fe8c8a8fde24772957b
SHA256a0316c5a4590aa7af656fdcdb30167a662af4738cc76249e034379123b9beb47
SHA512f1f9510546af65c94ddfe61271fba9058f69019ba66a9059181f50438817603c503b70938f3423b9fdfd40da19251b8f0df88213e50e9dedcf39f99a395e62e0
-
Filesize
8KB
MD5629f7b5710c3f063d5b94dfd6d6b0235
SHA1120408842d55228dfd9e7d9b722d4c9413158df7
SHA256e051210cc50d9cec8bfe79f02027352b54e32d1379b8dda53a3586e64f96ae54
SHA512a580851a7960b3c8749a73b39e899cede40f45404088fa1aff5e38c57b62df198a7976504e044ad411e8136ee17d2174b51f773584e8dc3f180dc3f6bfcad5c8
-
Filesize
9KB
MD5288011290caeca3f28c8b08eaddf0e90
SHA1850db49786cb8e608dd250cf867988a4ea1e85a5
SHA2566c4ca620de0b87aa730e3695ee7f3f300f647a7de7448d2ff9c1bafee40a75ab
SHA512f724228ac0265f0474f44880911819e29622dffcd1bdac363f5e56be36e5024ab2aa4d6df04948ff46af57595f144c5c39dee9bc44e1a2194643c01cc5d3797d
-
Filesize
8KB
MD563bf64774d28319f996b7c2dcd3753d4
SHA1c965b1c3556224147f9c5d1ecf9763371226493a
SHA25622d61676572c97a5521407b1f4409529757798268319998afa739e0bfe4fa16a
SHA51209aa736fc307cda72fc3b5f1d64b25627759c95e1bde645286036a1200c6ce1a22b313cfb1639d4313d40581630ecbda7d0de79a60dc6474717741cd171cf0b2
-
Filesize
15KB
MD51d092e9f7be71d7332f47e37abd74a08
SHA188e33a0af8d14ad28b25a40bd84e5e4a9d2e181f
SHA256d203fda8aca59f58dd36bc458ff2fe0851baabbebb992aa2605e6ca5bbd38b6e
SHA51205207876a3b7fe32f841671bfec2f90658989a90ab753535a363a943c3215adf708e1013a7291dc1832f359036af965eee1988f178c54ff9fc15d90e00fdf82a
-
Filesize
112KB
MD5687cd9b6eb800b89e748680744615faf
SHA18f6262edfa1591059beabba2e788028313a1fa70
SHA256e17e91cc6e237e20ea903039b0a8a0c1b530154295c7fe9e8f727825609e11be
SHA51272ebe3ec003516263119e57c4706a748cfcd416d4a6b3dee1c11e530aad4de8da0b0160bfc1367815a0c47181167d0f9bdf11eb768033021fae70c839141f83d
-
Filesize
221KB
MD55ec370e4e3f29c0913372d3f435baa70
SHA164cfe00b26a484437b8af4b702aabb96f948645d
SHA256d20f72afd7558a6637e35d9cbf2780205cf087c22a6b2d97a85ef9630ba3eaa1
SHA512f1249de6da0270b4fe1ed3a871622fa18faef62107660b64a4a79cc1ac1910d1de4d15ee45cf7713b01b4d7a93ee8e350fa09f755dbd79087b56277e79a11bd6
-
Filesize
221KB
MD53f4c3e8f1868966616eed5fd83c050f3
SHA1ee8b4ea37e9efd89deb0a3ac540926773e783d80
SHA2563b89bb69a6f17b8c4de2b2d40a0a6cbf154f21dc9a6207d741962e9a57ad4fcd
SHA5120754f49fa2ddb60f8a3a4965ad10055674617e47187cc39853a26fb0bfe6ef156cc590da3ab228df189aa2f29cbc00c4eb636a1797d95d0eb5d49857117047c8
-
Filesize
221KB
MD566b5f1a020bf527258b3bb4767ac5c01
SHA109b2ccd245fee4e28dc359cc383df6929017bc51
SHA2568b6814d0910c98688afd84332c58bb51b99777ca0f5a74f92fa5275df6b78813
SHA5121d382caf52d8a234726b37bf3ea1b2d4b86b3bf47d75de01d9e1bbe3d29f16927d2d5b3e49d82af83aaa52da27bfc58621375e12d6fb4e3e27ca4c61511002e5
-
Filesize
264KB
MD5bd6f669d07b1a81a1579556958e41844
SHA10ab50ad8dbb7425e6623ae11733c139d8b9e35f7
SHA2566148066c33ed6f85908844cc60bb5735d5664f15478d3cb931e78cc2b1bef62f
SHA512d109c4c0313338f7aaf0bb80db53c3ea64aed62ca8a5285c54b132ee2b7cc686dd9090e274dee3011c3a9cc3ac96c39dd81f7a012243b9dea8d98bcb673fcacd
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
152B
MD5b4b5eaf7edd9d5391ddfdb694e0cd888
SHA1d1f92fbd238c4d5fb6861a83153893568d514586
SHA2561d5fc1e6da67b60df30ee83dd11359ec3dbe0c4bdddff2f2f862fa9c4619d903
SHA5121b62d5740572b1c17dadcb83d9e0017d6a8ff94cc64bc024cc47fa92a8180f7c2d18bef79ddf5cac8a9a97ecefd8461b06665e522acb0c5857dac1a2838fc048
-
Filesize
152B
MD5db1ed3bbcaa8e96c29a0b57e72bf0319
SHA19bc11860837a2bcdd048613ba8dd76d6d77d32d9
SHA2567c7db5dde536599fd7ffd4dee8e03ca0f6680e662022869057b09a4635b9b87c
SHA512eb7375877e9b51ebcf8cfc62cf822fdce3fdce837fbbd00d4d54c52c4f67bd82408e4809e1c92f32e9f3edc9e6726910f752fbeaf14704745688b0239405e6c8
-
Filesize
4KB
MD53944fc40448b31410d29e95bd2636a06
SHA1d15f3c28937f80d010ae8751ada6becaf06149ee
SHA256c1f540fa044b2e2a18bb4a2965f7cd04cd2430659626c1b5db750289b35b12d1
SHA5122c46431b23925c1985c7931e65e1046a4499fdf6c2a616b0dc8f5f57dd3da984e4c7063924eb123a3b3ba8e5fe5eb73af5fc47b1a498d07ca051df64bbe534c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5bbcf5412d1c1ba2da94b8f4a7ba7fe89
SHA16d688342076a17bb9dea00cd80e82a4880fedaca
SHA256f51aacf251b40e876bddccbca0769f37ef888eb9d642c8cc5fc8f56d24e3c903
SHA5123f41382a050e61abe5250b96dfa6eb9f03bf8c13e58c42e651393a9a41d15ca1d054346bf4678ca597de2d36aeca74cba14d5745cbf990948d023ddf1a62e11e
-
Filesize
1KB
MD588d9adb112168e7c32a6640604f6450c
SHA1309ce8ae75167a7760a18e720f078af1c77ce7f2
SHA256ce72f0df6a229e2e0a325250ffd9c0311df0e28cadb401e3a5b710d570bfc690
SHA5125290c7bbe0c7caac0f22d0a9866f63047056349bbe35722bc0feefa7abbe2c66f9cb78ea7d967c451f92a0db118037cfb20e30dce4ee4467855d36c528ec1b74
-
Filesize
1KB
MD56e0c414bb7c6f92c72a64846e6c3f3e5
SHA1c5d3d5a1bbfa4065b5a7048035dd8c9d9e06353f
SHA256c7826c2b11a13ab03913619fb534b6ccf90cb779126267152a1c2d1da71c109c
SHA512e7ff110fd3d8f263eb045ae4abdf4b413685c0addd46e6012ba2563098c674c82f3c3d70d352be8cc7ca7cf468b3fb14b18b1ab50280a7022529b325ba54d3ea
-
Filesize
1KB
MD527f5f97b114b0b5e4943e53a6f17c25b
SHA1491519344b05f3bc593cd3d70f1490ba395fac9e
SHA256edd039957d8fdbaf7a7bd9db05e47baa263e2714fe1dded874807436b241d335
SHA512ae69c1814eacd857ad0759552f67273a24b16bf20c26bd71a2b92907d1dbbbac10eb1c11383ad2aadc76971ac911efd9028f89308735ed1845c7f231d21ad611
-
Filesize
1KB
MD515c83f33e03a5f4bedfb6dd20ebe4439
SHA1d0d67440fba0608fed444624b93feb14ed9dce51
SHA256b061c38cda82fb15d8478982dd935ac05e4302023ffbc5600b0ee3e34e983d7c
SHA5126a0318cb6487b62c389a68750b394dd57268c708fad5abce454b549aa031a6f7cf504a4a383dfa30969392d41b7551d5920bc555ca69300c99c8b03df27fc789
-
Filesize
5KB
MD572c066a449369227303ffe190f364a1a
SHA10cec0cde7a7d4b02f898eb2d4ba7c264db341174
SHA25616df413636c898b16df78f5209d82d5292f33fb9087ec748055fc6d7b35de498
SHA51226a6b14874c28991de05e30dba13af667db4a8415dcd6d987098f445c4295aeb080cb5ab68df829b6b06790a8b67dc2d33ac3e9068d46aaa0140333a1fe7949f
-
Filesize
7KB
MD5783c5eaba774b07b48b596cf72c94ef3
SHA196bbba32676cb59904eb9f138b29b03c6cd45bdf
SHA256cdd0f6504679cee24b9d92620ffd81a7ad046ff9b152f4e61eed60b2d85664a7
SHA51248dd24683c71c265333b72b02f87bc82cf39e722b28f622270aa47f219f1c45eaf101bad5c411cdeea8b5746f1ab39b8247e46aecd95970b4bf288acd319d697
-
Filesize
7KB
MD5faac79eccc15a5974d91cbc5e6d44e12
SHA1c3b3aa7b6669d9c134c07b27f7e09c198cf909e4
SHA2568162406b38d62229b8ed9fd047844b0ca0eebc330d3714669965123f3740a403
SHA51248b00ac94412587ff4ac3921dfcb70fa7433218a97272c21f9d879c5d0f271b7104eda9a48aaf687c25ab471b37c229bf84213f706a337131581b3e30390d795
-
Filesize
7KB
MD540fefb9d0bca0b30e843915b5ba2e308
SHA17d4a49c1f13bb504565c5c282f3646052241b140
SHA256a35986cd2589ac1a6c2e185a3ded16ad689ba65e3d43d0696f1271277bf15c78
SHA5124d862ec93bf08780fc3171b8772fc43c3c4da891b20b7278e82cbc320541596bb23078d29484829c0efd68588b34730ce35f4f0cea475284702f6a9fc5f36daf
-
Filesize
6KB
MD554abdb95ca8ff6af1d24f8e75d8ba7c3
SHA13dcb7b9a3fd388003599bcf71db1c175b13df31d
SHA25622ac62ce78aa4da0388edf5fb76306614a0b1e3d772316a2fef9e2a837bf3399
SHA51216df7d51d085b7b98a93e339e954221cc354b5722caa6a24024cfcf61ad1caedce200e5379211dc3b1957afb9da85c45152382a2f187c2a002f86dec6c36c11e
-
Filesize
7KB
MD5d8578526cdd6683099d7aef3a494c027
SHA1b41ff6882b5cd733c805ec80444a1b6f14eca477
SHA256591a4045429b1e061e73748809cccebfb15cbfb5687e58a5f02b5878d2255504
SHA512b2fb1f7870284bef756e59caefe1bcef686d90fcb23b624ff36a563e80bd975fb1e4a64473badcd84a14b370aa332456a3621a8b7639ff5913062eca98edf8cc
-
Filesize
7KB
MD5cc054d134ecacd5109a55b4894307c70
SHA12c3930528b089f7b6bcf45cf5ebc9b024038143b
SHA256c59e5ddef99758bfb7114daa3d02410066b681d5baf159bf34daa27b8321d4d5
SHA512e6597fdaf9c0c2d9810eb93f416cea7f4449d23cc7206eec401a3b6257fcc06506c27b612ed699c477ce27f69b2f01c6de086103cbfca89587c8085a9b5a1288
-
Filesize
5KB
MD5affbce5508b57f5421e89f9cbf0cc07a
SHA16a363987059507c31a649cb7423cf0dd43704d8d
SHA256fd613882e0234c61390cae9d29e7c070e9b082a6d023be8f0ca4ebbe6b1d89e8
SHA51273dc0d51506e8417a9ede6278d434af7db5c69e0282a97586528b764f3e61342501c5af39aa28c4d53064285e3d863d38507e3de74566633e1cbff03fa9a4ca7
-
Filesize
6KB
MD5636eefb63b14333a6bb9d66474a5bb6d
SHA1ac7c92c63d871984347ba986ff4752677b30922e
SHA256a687b7cdd506f7b8fe85ea259837552ba3b73371c3038f30883e29c856fd7322
SHA5121f68b11638009eb7daba1776f47c3cd801eb519e83e2cbf9d61fae3062758192187b967300356143db79109ec00a22ef20245607fbcb40ff08006666ed4d87b3
-
Filesize
24KB
MD5941ea4c983b3cf877ce6e1aab38f2794
SHA1c4fcce581d0660a0c96d0579aedb528a8168233c
SHA2563d4479f291d239eec609801437c1962e41e19c53a3eadd2f95342167fa7ad342
SHA512f47836cc619ea50f24d3804a697bb562781e812a65285959d7dbce53db8945cbbab2f9b8290ba2bd9925f620858918ddc676c082cdadae8444a9751d642a381b
-
Filesize
1KB
MD517448c526103b60c9f1968bcec44b650
SHA1fd701b378ae5723fa489979a4b676b03a4aa3f88
SHA256d209ff617a6177600405dd1bf10aabfd263ac6f7a4c3dad03fdf06fa61b45f7a
SHA51200b7305b993b6a808b79842eb4a9d5269b004447806595735ec709fb4c1031e7c32765fea0f0dc036ff8616d2e53ab7fe0e86525cb589eb1734b96d7b5a24139
-
Filesize
1KB
MD5356a2235777d04c21301add5060edc0f
SHA19d9d678d9961f2c422e6a82273f6095cce901ecb
SHA256cf6046f2207064f4eaff6d4218905ced09492c32bee897cd6efd3de73bd106a9
SHA51287978c9ca0075ec7a30713566dd616831caa5486fb930ab37bb5e306e7308d77cffff0cd2b1868d0c844d455a611a3fe3be63926d879cc5123fbdbf8c8f34450
-
Filesize
1KB
MD58b86b8faac7fe378120fd30ff45bd41d
SHA1f12ee623d6bddd7a757c6b4179525b5524656ff0
SHA25623c877ce0c640784456fbef5b4b75830a536f96fb08751cdee44deb6b6028269
SHA5122c30f4f5c2cbe74c71fcfec3841fa55470b8c69a29d19a41f7fdd73e3087c412ac7f771f8df99993fc27aee00383ab54d3ade5f4034a37405e9f9d5d1ccd7d23
-
Filesize
1KB
MD50956ee3fd209e42ea856beb9b8a3ae10
SHA1f07cb79b06bc9aee6839cf46cafcd7a6cab1a3c4
SHA256a7d3848c3ddc617b72e3bd6d91f0613a9fbe07ef94bb370a4f10a556a20b164d
SHA512fdefb7d4ba9049017fd148857c5248471e4934072231cae65a1dbb6da7658edad50009fa817b3fe6ed9b8fe188f5da2007e4fb3b4568f5490749cf5df21ec3ba
-
Filesize
1KB
MD58f4f5dda7d9db15886a4fe94f24986ab
SHA1e29e467c179254ef5cb8c58b1822fb2ba72877bd
SHA256e8688b33f8a86b4f3b425ea226d548801eb235167c770afff95a5121b6467ac1
SHA51219e3f75e054b452c0bd72f301e8c30fd3621d424f6a9821d8c439853f6fadaff496aca37a841dd16c2b96551a0c1ec6565a08cd270258ff9817c96501c330cf7
-
Filesize
538B
MD57bc18ac2cd9e3a68fbce83a6f676235d
SHA1a5b845c1fd79592c3e6930e9b9b8fde566eef374
SHA2567f3d8cd1817e93de824a10568d643e6dce13593994bdacf067f2b7c716a0b2f6
SHA51230d9ac7874e4d554281bede2b7d501f68308a3df50666756c366ef051df16d34bdc6ef31a71d9d9a9780eac12f4749c4a477ecc6fb3b87b29e77131b2e3b071c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5f434c7d7782389feaf2101dac4ef32a8
SHA16d1c3919b7a85981dc32fb323fcec53b27cd700c
SHA2561477f231459f4674443554a7cb3e450f7c47c23c99b3994245c8c622258d69bf
SHA5128e55c1c458d6cd68f2f913bed5137b445f422fd2d3fe570cc02da4dbc86fe1ce54434cb17fb0ee6b5513c79fb53d0519da65e281fc272bd8716f0066eed38436
-
Filesize
10KB
MD505e0333e16f5b14d83bfa3cdd67153ab
SHA16632f5684a758b6d1bb8df14e581ccb7fba31d96
SHA256189a27de7c6f63d5df5f4c96e76fd705db3f6c47e868b3882b113b3a9efb52ea
SHA5124b82a3aef8151ea2571f26bcb710957ce40ede101a87049357982368d56b8182a61d36692bbfced7e455dfe4bf47ab6b56d7ae9f0b35c90f4997650615fea791
-
Filesize
11KB
MD58827452647fb742b71ec7565f771d482
SHA17a0ff724d84b0f85f88a848ca3dd86956e82d63a
SHA256c4785a03c7e3f97f5b3c8c5e1e88886201a8bb5d482f6e5a030b500ceddb95a6
SHA51208c9a305db2e9e44e3e2086bb7bc4728cb78f5b5c2cca5bd6e448cb8e330ed76670e5e63d30dd9cb85232c23e3e02fbaea4107a80478b89ee6f9961964e2746f
-
Filesize
11KB
MD5a72c74afa61363a80a785f9b421b78d4
SHA11fb1a03bbe88ead8357556b63fff9d6d0f76fbdc
SHA2564f932cfceaae4135ed79a146886a73f34c4b13f4fda00e89c077ca70210a9d9f
SHA5121c972d1540294656d1047c5dfa298845a746ecdc6a03df8e5449e1d32a6f3bb22a28c6543b82af0da1330ca27d61ff8a426764ceeb0bab0c8d65bdc2f2695072
-
Filesize
1KB
MD5dd524952ca489c3c8667021de9707185
SHA1d51bedfe8c2cb1a68ebb9c749021a494ef205b36
SHA256a78ca40b9f7d05975359f1f880705cf1b62da657925a5bfbcfdea1bad3990443
SHA5123dd047df7a69280375d1b7cb45ad64f6aafb061e990d7712b62bfd67b34a3ee655e7ed868b91c7bc7ebd8e064020dac3caaa402a1f30543eb317c3c48df56304
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
550KB
MD58b855e56e41a6e10d28522a20c1e0341
SHA117ea75272cfe3749c6727388fd444d2c970f9d01
SHA256f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
Filesize
23KB
MD54d32bfacc1d37f8dae7af983b9f0c223
SHA147fb15c16a43c26a209bb458addea18ac356e8f6
SHA2562f39b4151d3fb6dcafaf1331e886f2354376fa06035248281dfa6072cb5dcd90
SHA512f8219746c35ff31bd181fd634e8ea06752854dbac97b44e4f73b5b5ac953c7016fa51568d1838d42fb45e57e292126c7594e782abab98ce748eddd0fe3d070a3
-
Filesize
30KB
MD55b2c43481422fa0a828783b00cc65b91
SHA17d16a5758640904102c68c4f3156e523a2153fa6
SHA256e6adc09b855a903448d0b5fe991e8f503a47ed0077b5eb6d7b2496aaf75de94f
SHA5128af43bf7ab783e2d969666e7ac2720dd7432d284d731681d453ecf3ca0fea8054aa6aa7a6864860fddd11fabd5b43bb68f98fae1091949b8e420aaa5632670c1
-
Filesize
347B
MD5ab5f77b2ae2cf65a4e39d9bbda3a2a85
SHA14f1ad1b5100c20b5342ed26f37eb534d2fd53fb7
SHA256e7d02c479550a61913d78f140bcea67fc91f6484354c9ff22b6940418eeb1aa3
SHA512b2a4071a2b2402c8cc2a803846a0c3671dacf61b0e6d5be3c2d2c6edfe5a227406c28da7f27c6c79a430869c77e650883498606fe9f8407f569d75ba974c935a
-
Filesize
1KB
MD59a7a8db3db7aef92ea9bebe2a5f9c2f7
SHA144a8fbfbc03e9e45057ae8e8bf2f99c8ecd7cc73
SHA2569bf0178e6e71e60dcf2869f96b75daa1db209aa0d6c0376bbb99b9ca2a8b8136
SHA512952451447f227970c014f659c145b570bb253c67b851acb1413ac70734c36b2cf1de999a724f85c09bf1773e9d63def347da560d608bf5718fb1a61fce3321fa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e